I'm trying to figure out why this is happening..
5240 daemon: -q15m, listening for SMTP on port 25 (IPv4)
12317 handling incoming connection from (smtp3.landam.com)
[206.211.124.16]:28424 I=[127.0.0.1]:25 id=1GxRF0-0003Cf-Al
35228 handling incoming connection from (mail.co.dutchess.ny.us)
[64.72.67.130]:32280 I=[127.0.0.1]:25 id=1GxPk3-0009AC-3D
49158 handling incoming connection from (ms-smtp-04.rdc-nyc.rr.com)
[24.29.109.8]:54683 I=[127.0.0.1]:25 id=1GxRAl-000Cms-0n
85796 handling incoming connection from (imr-d02.mx.aol.com)
[205.188.157.40]:57622 I=[127.0.0.1]:25 id=1GxRDb-000MJo-Hp
90577 handling incoming connection from (mail.suss.com)
[12.152.229.226]:37691 I=[127.0.0.1]:25 id=1GxREr-000NYv-Q1
[/var/spool/exim/scan]# 65 > du -sh *
29M 1GxPk3-0009AC-3D
514K 1GxRAl-000Cms-0n
72M 1GxRDb-000MJo-Hp
6.1M 1GxREr-000NYv-Q1
20K 1GxRGq-000CTd-FD
# Exim mainlog
2006-12-21 11:56:31 SMTP connection from [205.188.157.40]:57622
I=[127.0.0.1]:25 (TCP/IP connection count = 9)
2006-12-21 12:00:06 1GxRDb-000MJo-Hp malware acl condition: clamd: unable
to read from socket (Operation timed out)
2006-12-21 12:00:06 1GxRDb-000MJo-Hp H=(imr-d02.mx.aol.com)
[205.188.157.40]:57622 I=[127.0.0.1]:25 F=<somename@???> temporarily
rejected after DATA
# clamav.log
Thu Dec 21 11:56:40 2006 -> Client disconnected
Thu Dec 21 11:57:38 2006 -> Client disconnected
Thu Dec 21 11:58:40 2006 -> Client disconnected
Thu Dec 21 11:59:27 2006 -> Client disconnected
Thu Dec 21 12:00:55 2006 -> Client disconnected
Thu Dec 21 12:03:20 2006 -> Client disconnected
Thu Dec 21 12:04:15 2006 -> Client disconnected
I don't understand why the on disk size of the email from aol is 72M and
why the other is 29M and 6M .. when I look in the scan folder there are
like 2 dozen+ parts in there.. ranging from 100Kb to 6+MB..
is it something wrong with my exim config? or my clamd.conf?
Exim version 4.63 #0 (FreeBSD 6.1) built 14-Dec-2006 05:59:25
Copyright (c) University of Cambridge 2006
Probably Berkeley DB version 1.8x (native mode)
Support for: iconv() use_setclassresources Perl OpenSSL Content_Scanning
Old_Demime Experimental_SPF
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb
Authenticators:
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /usr/local/etc/exim/configure
###
### START ACL MIME ###
###
acl_check_mime:
# Decode MIME parts to disk. This will support virus scanners later.
warn decode = default
# SURBL
drop set acl_m0 = ${perl{surblspamcheck}}
message = $acl_m0
condition = ${if eq{$acl_m0}{false}{no}{yes}}
log_message = SURBL URL MIME
accept
## clamd.conf
## we run it from daemontools
AllowSupplementaryGroups
ArchiveBlockEncrypted
ArchiveBlockMax
DatabaseDirectory /var/db/clamav
FixStaleSocket
Foreground
#LocalSocket /var/run/clamav/clamd
TCPSocket 3310
TCPAddr 127.0.0.1
LogFile /var/log/clamav/clamd.log
LogFileMaxSize 0
LogTime
MaxThreads 10
PidFile /var/run/clamav/clamd.pid
ScanMail
User clamav
VirusEvent echo %v >> /var/log/clamav/virii
StreamMaxLength 15M
This is what I think the decode is supposed to do, but I don't know why it
breaks it into such large pieces.. and so many..
Having clamd as a socket or tcp process seems to make no difference, but
the tcp seems to be faster, even though the socket should be.
This is what i can see from the reject log regarding the mime type of this
message:
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="part1_c7d.6668ddb.32bbff23_boundary"
X-Mailer: 9.0 SE for Windows sub 5036
X-Spam-Flag: NO
X-AOL-IP: 172.20.107.74
Any help would be greatly appreciated.