12

Back in June I sent myself the EICAR test signature to make sure my postfix/amavis/spamassassin etc setup was working properly. I didn't notice at the time, but this somehow created a tear in the space-time continuum or something whereby every 5 minutes the mail server sends it to itself, over and over. 

Oct  7 20:25:39 yavin postfix/smtpd[5598]: connect from localhost[127.0.0.1]
Oct  7 20:25:39 yavin postfix/smtpd[5598]: 886FA1A14B0: client=localhost[127.0.0.1]
Oct  7 20:25:39 yavin postfix/cleanup[5600]: 886FA1A14B0: message-id=<20111007072539.886FA1A14B0@yavin.mydomain.com>
Oct  7 20:25:39 yavin postfix/smtpd[5598]: disconnect from localhost[127.0.0.1]
Oct  7 20:25:39 yavin postfix/qmgr[2911]: 886FA1A14B0: from=<>, size=1610, nrcpt=1 (queue active)
Oct  7 20:25:39 yavin postfix/smtpd[5598]: connect from localhost[127.0.0.1]
Oct  7 20:25:39 yavin postfix/smtpd[5598]: A9C0E1A14B1: client=localhost[127.0.0.1]
Oct  7 20:25:39 yavin postfix/cleanup[5600]: A9C0E1A14B1: message-id=<VAAyuN8taIpfBV@yavin.mydomain.com>
Oct  7 20:25:39 yavin postfix/smtp[5601]: 886FA1A14B0: to=<virii@mydomain.com>, relay=192.168.178.251[192.168.178.251]:25, delay=0.23, delays=0.1/0.04/0.03/0.06, dsn=2.6.0, status=sent (250 2.6.0  <20111007072539.886FA1A14B0@yavin.mydomain.com> Queued mail for delivery)
Oct  7 20:25:39 yavin postfix/qmgr[2911]: 886FA1A14B0: removed
Oct  7 20:25:39 yavin postfix/smtpd[5598]: disconnect from localhost[127.0.0.1]
Oct  7 20:25:39 yavin postfix/qmgr[2911]: A9C0E1A14B1: from=<postmaster@mydomain.com>, size=2037, nrcpt=1 (queue active)
Oct  7 20:25:39 yavin amavis[2720]: (02720-06) Blocked INFECTED (Eicar-Test-Signature), <spambin@mydomain.com> -> <spambin@mydomain.com>, quarantine: virii@mydomain.com, mail_id: AyuN8taIpfBV, Hits: -, size: 576, 606 ms
Oct  7 20:25:39 yavin postfix/smtp[5601]: A9C0E1A14B1: to=<postmaster@mydomain.com>, relay=192.168.178.251[192.168.178.251]:25, delay=0.09, delays=0.04/0/0/0.04, dsn=2.6.0, status=sent (250 2.6.0  <VAAyuN8taIpfBV@yavin.mydomain.com> Queued mail for delivery)
Oct  7 20:25:39 yavin postfix/qmgr[2911]: A9C0E1A14B1: removed

I stumbled across the issue when I changed the configuration today to route virus-infected mail to the virii@mydomain.com address rather than to files on the spam server. Seems this has been re-sending every 5 minutes for four months now.

I seemed to halt it briefly after rebooting the spam server at 7pm tonight and thought it resolved, but at 8:16pm I got the message again, and every 5 minutes since. It's starting to drive me slightly insane.

Help?

Edit: On changing the configuration back to storing viruses on the server rather than in a mailbox, the issue continues:

Oct  7 22:05:40 yavin amavis[5476]: (05476-01) Blocked INFECTED (Eicar-Test-Signature), <spambin@mydomain.com> -> <spambin@mydomain.com>, quarantine: virus-QhKp9pHFTZiG, mail_id: QhKp9pHFTZiG, Hits: -, size: 576, 795 ms

Just instead of e-mails I get files, every 5 minutes.

Edit 2: New full logs after config reversion and restarts of Postfix and Amavis:

Oct  8 02:43:40 yavin postfix/smtpd[12710]: connect from localhost[127.0.0.1]
Oct  8 02:43:40 yavin postfix/smtpd[12710]: 2DD331A1600: client=localhost[127.0.0.1]
Oct  8 02:43:40 yavin postfix/cleanup[12706]: 2DD331A1600: message-id=<VAnB9ZAvBkol-I@yavin.mydomain.com>
Oct  8 02:43:40 yavin postfix/smtpd[12710]: disconnect from localhost[127.0.0.1]
Oct  8 02:43:40 yavin postfix/qmgr[10957]: 2DD331A1600: from=<postmaster@mydomain.com>, size=2040, nrcpt=1 (queue active)
Oct  8 02:43:40 yavin amavis[10975]: (10975-14) Blocked INFECTED (Eicar-Test-Signature), <spambin@mydomain.com> -> <spambin@mydomain.com>, quarantine: virus-nB9ZAvBkol-I, mail_id: nB9ZAvBkol-I, Hits: -, size: 579, 475 ms
Oct  8 02:43:40 yavin postfix/smtp[12711]: 2DD331A1600: to=<postmaster@mydomain.com>, relay=192.168.178.251[192.168.178.251]:25, delay=0.11, delays=0.05/0/0/0.05, dsn=2.6.0, status=sent (250 2.6.0  <VAnB9ZAvBkol-I@yavin.mydomain.com> Queued mail for delivery)
Oct  8 02:43:40 yavin postfix/qmgr[10957]: 2DD331A1600: removed
James Carppe
  • 171
  • 7
  • New log output after changes added. – James Carppe Oct 07 '11 at 13:50
  • But you see this is a different message. Different Message-ID and different mail_id. So the question remains: Who/what uses SMTP from your local machine to deliver that mail? A cron job? Monitoring software? Should be shown in the last Received line of the mail. – mailq Oct 07 '11 at 13:56
  • `Received: from localhost.localdomain ([127.0.0.1]) by localhost (yavin.mydomain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OG7XNLVAihsQ for ; Sat, 8 Oct 2011 02:58:39 +1300 (NZDT)` – James Carppe Oct 07 '11 at 14:02
  • And my crontab: `11 11 * * * /etc/init.d/hwclock.sh reload >/dev/null 47 5 * * 7 /usr/sbin/sa-update.sh 2 2 * * 3 su amavis -c '/usr/bin/razor-admin -discover' 43 11 * * * /usr/bin/cron-dccd 27 */6 * * * /usr/sbin/unofficial-clamav-sigs.sh */6 * * * * /usr/sbin/clamd-status.sh` – James Carppe Oct 07 '11 at 14:04
  • **There you go!** The culprit is clamd-status.sh that sends the mail ever 6 minutes... – mailq Oct 07 '11 at 14:06
  • Sadly no. Commented out that entry in the crontab, restarted postfix and amavis, just got another one. Looking through the script doesn't point to anything obvious to me - http://pastebin.com/virTPPkq – James Carppe Oct 07 '11 at 14:19
  • 2
    Oh boy. So, I figured it out. Turns out it was a Nagios script that checks whether amavis is running, and more importantly for this particular issue, checks that the AV engine is working... by sending it the EICAR virus. http://exchange.nagios.org/directory/Plugins/Anti-2DVirus/Amavis/check_amavis/details is the script in question if anyone is interested. Thanks all to those that tried to help, you definitely helped me figure it all out! – James Carppe Oct 07 '11 at 14:39

3 Answers3

12

The problem is your Amavis setup.

Your quarantine destination seems to be a mail address. So Amavis injects the virus mail back into Postfix to be delivered to that address. Postfix now decides to scan the mail first and delegates to Amavis. Amavis recognizes the virus and tries to quarantine it by delivering to the quarantine mail address. So ...

You get the vicious circle, right? Either quarantine mails into folder or database, or define an exception to not scan the quarantine-mails for viruses.

Edit to the edit of the questioneer

Now the Message-IDs are different. Meaning they are different messages with (surprisingly) the same content. This makes me believe that it is either a cron job or some kind of monitoring software that keeps on sending the same content (not the identical mail).

And at the end James found out that his Nagios monitoring software keeps on sending ...

mailq
  • 16,882
  • 2
  • 36
  • 66
  • 1
    I only changed the quarantine destination to a mailbox today, and this problem has been happening for 4 months. The previous setting was $virus_quarantine_to = 'virus-quarantine', which stores them in /var/lib/amavis/virusmails. When this was set the issue was still occuring. – James Carppe Oct 07 '11 at 08:56
  • 1
    Also, this only appears to occur with this particular message. Other real viruses that are coming in on standard e-mails to users are picked up and removed without issue. – James Carppe Oct 07 '11 at 09:03
5

Oh boy.

So, I figured it out. Turns out it was a Nagios script that checks whether amavis is running, and more importantly for this particular issue, checks that the AV engine is working... by sending it the EICAR virus.

http://exchange.nagios.org/directory/Plugins/Anti-2DVirus/Amavis/check_amavis/details is the script in question if anyone is interested.

Thanks all to those that tried to help, you definitely helped me figure it all out!

James Carppe
  • 171
  • 7
1

That may be the case, depending on your setup of postfix and amavis. If postfix tries to send it somewhere and amavis intercepts the sending (as indicated in the third last line), the message will stay in the queue. Normally, the queue would be deleted after 72h of not sending it, but if amavis also blocks the deletion of the message (as it is another access to a virii-file), the message never gets out of the queue.

Did you already try simply deleting the send-queue for this message or even address via the admininistrative tools of postfix?

Lars
  • 484
  • 5
  • 19
  • Yeah, cleared the queue multiple times (postsuper -d ALL), along with multiple reboots now. I can't find any trace of the message anywhere which is why I'm so confused as to where it's coming from. If it's any help, I used http://www200.pair.com/mecham/spam/spamfilter20110303.html as the guide to setting it all up. Lot of info there though. – James Carppe Oct 07 '11 at 08:37