New subject: [opensuse] Re: Curious unintentional mail bomb

26 May 2019

      Hi,

Yesterday I was fetching mail with fetchmail from an account, and I noticed these entries in the log:

<2.4> ... amavis 28714 - -  (28714-15) (!)Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096 bytes
<2.4> ... amavis 28714 - -  (28714-15) (!)run_command_copy: Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096 bytes
<2.4> ... amavis 28714 - -  (28714-15) (!)NOTICE: HOLD reason: do_uncompress: run_ccpy: Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096 bytes

So I investigated, and found the full log entries:

<2.6> 2019-05-25 15:29:58 Telcontar postfix 4365 - -  C46623207AD: from=<linux-xfs-owner@vger.kernel.org>, size=14080, nrcpt=1 (queue active)
<2.6> 2019-05-25 15:29:58 Telcontar fetchmail 22954 - -  IMAP> A7859 STORE 7 +FLAGS (\Seen \Deleted)
<2.6> 2019-05-25 15:29:58 Telcontar amavis 28714 - -  (28714-15) LMTP [127.0.0.1]:10024 /var/spool/amavis/tmp/amavis-20190525T152941-28714-R9o4FYsp: <linux-xfs-owner@vger.kernel.org> -> <cer@localhost.va
linor> SIZE=14080 Received: from Telcontar.valinor ([127.0.0.1]) by localhost (telcontar.valinor [127.0.0.1]) (amavisd-new, port 10024) with LMTP for <cer@localhost.valinor>; Sat, 25 May 2019 15:29:58 +0
200 (CEST)
<2.6> 2019-05-25 15:29:59 Telcontar spamd 29103 - -  spamd: connection from localhost [127.0.0.1]:52380 to port 783, fd 6
<2.6> 2019-05-25 15:29:59 Telcontar spamd 29103 - -  spamd: setuid to cer succeeded
<2.6> 2019-05-25 15:29:59 Telcontar spamd 29103 - -  spamd: processing message <61ef34f7-3e70-aa83-aa91-9bd5d49a61da@gmx.es> for cer:1000
<2.6> 2019-05-25 15:29:59 Telcontar amavis 28714 - -  (28714-15) Checking: xtCJxEl4h1M1 MYNETS [127.0.0.1] <linux-xfs-owner@vger.kernel.org> -> <cer@localhost.valinor>
<2.4> 2019-05-25 15:29:59 Telcontar amavis 28714 - -  (28714-15) (!)Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096 bytes
<2.4> 2019-05-25 15:29:59 Telcontar amavis 28714 - -  (28714-15) (!)run_command_copy: Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096 bytes
<2.6> 2019-05-25 15:29:59 Telcontar amavis 28714 - -  (28714-15) Decoding of p002 (bzip2 compressed data, block size = 900k) failed, leaving it unpacked: do_uncompress: run_ccpy: Exceeded storage quota 7
040000 bytes by run_command_copy; last chunk 4096 bytes
<2.5> 2019-05-25 15:29:59 Telcontar amavis 28714 - -  (28714-15) NOTICE: Virus scanning skipped: do_uncompress: run_ccpy: Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096 bytes
<2.6> 2019-05-25 15:29:59 Telcontar postfix 22998 - -  29B0D320ADD: client=localhost[127.0.0.1]
<2.6> 2019-05-25 15:29:59 Telcontar postfix 28833 - -  29B0D320ADD: message-id=<VAxtCJxEl4h1M1@telcontar.valinor>
<2.6> 2019-05-25 15:29:59 Telcontar postfix 4365 - -  29B0D320ADD: from=<virusalert@telcontar.valinor>, size=7418, nrcpt=1 (queue active)
<2.6> 2019-05-25 15:29:59 Telcontar amavis 28714 - -  (28714-15) rF71lUyZ4pnz(xtCJxEl4h1M1) SEND from <virusalert@telcontar.valinor> -> <virusalert@telcontar.valinor>, ENVID=AM.rF71lUyZ4pnz.20190525T1329
59Z@telcontar.valinor 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 29B0D320ADD
<2.4> 2019-05-25 15:29:59 Telcontar amavis 28714 - -  (28714-15) (!)NOTICE: HOLD reason: do_uncompress: run_ccpy: Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096 bytes
<2.5> 2019-05-25 15:29:59 Telcontar amavis 28714 - -  (28714-15) Inserting header field: X-Amavis-Hold: do_uncompress: run_ccpy: Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096 
bytes
<2.6> 2019-05-25 15:29:59 Telcontar postfix 22998 - -  2D05C320ADE: client=localhost[127.0.0.1]
<2.6> 2019-05-25 15:29:59 Telcontar postfix 28833 - -  2D05C320ADE: message-id=<CAE5jQCfP95cvjkKTmawpbfFLmBVwYZ3t89WED=U3uk4z+7U+CQ@mail.gmail.com>
<2.6> 2019-05-25 15:29:59 Telcontar postfix 4365 - -  2D05C320ADE: from=<linux-xfs-owner@vger.kernel.org>, size=14764, nrcpt=1 (queue active)
<2.6> 2019-05-25 15:29:59 Telcontar amavis 28714 - -  (28714-15) xtCJxEl4h1M1 FWD from <linux-xfs-owner@vger.kernel.org> -> <cer@localhost.valinor>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2D05C320ADE
<2.5> 2019-05-25 15:29:59 Telcontar amavis 28714 - -  (28714-15) Passed UNCHECKED {RelayedTaggedInternal}, MYNETS LOCAL [127.0.0.1]:45756 [209.85.208.196] <linux-xfs-owner@vger.kernel.org> -> <cer@localhost.valinor>, Queue-ID: C46623207AD, Message-ID: <CAE5jQCfP95cvjkKTmawpbfFLmBVwYZ3t89WED=U3uk4z+7U+CQ@mail.gmail.com>, mail_id: xtCJxEl4h1M1, Hits: -, size: 14080, queued_as: 2D05C320ADE, dkim_sd=20161025:gmail.com, 206 ms
<2.6> 2019-05-25 15:29:59 Telcontar postfix 28977 - -  C46623207AD: to=<cer@localhost.valinor>, orig_to=<cer@localhost>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.4, delays=0.19/0/0/0.21, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2D05C320ADE)
<2.6> 2019-05-25 15:29:59 Telcontar postfix 4365 - -  C46623207AD: removed

There was indeed a mail sent to root from virusalert, identifuing the problem post. 
I then located it: a mail from the xfs mail list. I expected it to be huge, but it simply contains a 2.2 attachment named "xfs.img.bz2", sent with good intentions and not a virus. 
The problem is that it is an XFS partition debug image, which expands to 134,217,728 bytes!  Of course that amavis had problems with it, LOL!

The mail passed with a warning in the subject line added, was not quarantined. And it came from my gmail account, who are rather suspicious folk when looking at spam or attachments.

-- 
Cheers / Saludos,

		Carlos E. R.
		(from 15.0 x86_64 at Telcontar)

[opensuse] Curious unintentional mail bomb

Carlos E. R.

David C. Rankin

Carlos E. R.

tags

participants (2)