Hi,
Yesterday I was fetching mail with fetchmail from an account, and I noticed these entries in the log:
<2.4> ... amavis 28714 - - (28714-15) (!)Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096 bytes
<2.4> ... amavis 28714 - - (28714-15) (!)run_command_copy: Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096 bytes
<2.4> ... amavis 28714 - - (28714-15) (!)NOTICE: HOLD reason: do_uncompress: run_ccpy: Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096 bytes
So I investigated, and found the full log entries:
<2.6> 2019-05-25 15:29:58 Telcontar postfix 4365 - - C46623207AD: from=, size=14080, nrcpt=1 (queue active)
<2.6> 2019-05-25 15:29:58 Telcontar fetchmail 22954 - - IMAP> A7859 STORE 7 +FLAGS (\Seen \Deleted)
<2.6> 2019-05-25 15:29:58 Telcontar amavis 28714 - - (28714-15) LMTP [127.0.0.1]:10024 /var/spool/amavis/tmp/amavis-20190525T152941-28714-R9o4FYsp: -> SIZE=14080 Received: from Telcontar.valinor ([127.0.0.1]) by localhost (telcontar.valinor [127.0.0.1]) (amavisd-new, port 10024) with LMTP for ; Sat, 25 May 2019 15:29:58 +0
200 (CEST)
<2.6> 2019-05-25 15:29:59 Telcontar spamd 29103 - - spamd: connection from localhost [127.0.0.1]:52380 to port 783, fd 6
<2.6> 2019-05-25 15:29:59 Telcontar spamd 29103 - - spamd: setuid to cer succeeded
<2.6> 2019-05-25 15:29:59 Telcontar spamd 29103 - - spamd: processing message <61ef34f7-3e70-aa83-aa91-9bd5d49a61da@gmx.es> for cer:1000
<2.6> 2019-05-25 15:29:59 Telcontar amavis 28714 - - (28714-15) Checking: xtCJxEl4h1M1 MYNETS [127.0.0.1] ->
<2.4> 2019-05-25 15:29:59 Telcontar amavis 28714 - - (28714-15) (!)Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096 bytes
<2.4> 2019-05-25 15:29:59 Telcontar amavis 28714 - - (28714-15) (!)run_command_copy: Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096 bytes
<2.6> 2019-05-25 15:29:59 Telcontar amavis 28714 - - (28714-15) Decoding of p002 (bzip2 compressed data, block size = 900k) failed, leaving it unpacked: do_uncompress: run_ccpy: Exceeded storage quota 7
040000 bytes by run_command_copy; last chunk 4096 bytes
<2.5> 2019-05-25 15:29:59 Telcontar amavis 28714 - - (28714-15) NOTICE: Virus scanning skipped: do_uncompress: run_ccpy: Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096 bytes
<2.6> 2019-05-25 15:29:59 Telcontar postfix 22998 - - 29B0D320ADD: client=localhost[127.0.0.1]
<2.6> 2019-05-25 15:29:59 Telcontar postfix 28833 - - 29B0D320ADD: message-id=
<2.6> 2019-05-25 15:29:59 Telcontar postfix 4365 - - 29B0D320ADD: from=, size=7418, nrcpt=1 (queue active)
<2.6> 2019-05-25 15:29:59 Telcontar amavis 28714 - - (28714-15) rF71lUyZ4pnz(xtCJxEl4h1M1) SEND from -> , ENVID=AM.rF71lUyZ4pnz.20190525T1329
59Z@telcontar.valinor 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 29B0D320ADD
<2.4> 2019-05-25 15:29:59 Telcontar amavis 28714 - - (28714-15) (!)NOTICE: HOLD reason: do_uncompress: run_ccpy: Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096 bytes
<2.5> 2019-05-25 15:29:59 Telcontar amavis 28714 - - (28714-15) Inserting header field: X-Amavis-Hold: do_uncompress: run_ccpy: Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096
bytes
<2.6> 2019-05-25 15:29:59 Telcontar postfix 22998 - - 2D05C320ADE: client=localhost[127.0.0.1]
<2.6> 2019-05-25 15:29:59 Telcontar postfix 28833 - - 2D05C320ADE: message-id=
<2.6> 2019-05-25 15:29:59 Telcontar postfix 4365 - - 2D05C320ADE: from=, size=14764, nrcpt=1 (queue active)
<2.6> 2019-05-25 15:29:59 Telcontar amavis 28714 - - (28714-15) xtCJxEl4h1M1 FWD from -> , BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2D05C320ADE
<2.5> 2019-05-25 15:29:59 Telcontar amavis 28714 - - (28714-15) Passed UNCHECKED {RelayedTaggedInternal}, MYNETS LOCAL [127.0.0.1]:45756 [209.85.208.196] -> , Queue-ID: C46623207AD, Message-ID: , mail_id: xtCJxEl4h1M1, Hits: -, size: 14080, queued_as: 2D05C320ADE, dkim_sd=20161025:gmail.com, 206 ms
<2.6> 2019-05-25 15:29:59 Telcontar postfix 28977 - - C46623207AD: to=, orig_to=, relay=127.0.0.1[127.0.0.1]:10024, delay=0.4, delays=0.19/0/0/0.21, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2D05C320ADE)
<2.6> 2019-05-25 15:29:59 Telcontar postfix 4365 - - C46623207AD: removed
There was indeed a mail sent to root from virusalert, identifuing the problem post.
I then located it: a mail from the xfs mail list. I expected it to be huge, but it simply contains a 2.2 attachment named "xfs.img.bz2", sent with good intentions and not a virus.
The problem is that it is an XFS partition debug image, which expands to 134,217,728 bytes! Of course that amavis had problems with it, LOL!
The mail passed with a warning in the subject line added, was not quarantined. And it came from my gmail account, who are rather suspicious folk when looking at spam or attachments.
--
Cheers / Saludos,
Carlos E. R.
(from 15.0 x86_64 at Telcontar)