[opensuse] Curious unintentional mail bomb
Hi,
Yesterday I was fetching mail with fetchmail from an account, and I noticed these entries in the log:
<2.4> ... amavis 28714 - - (28714-15) (!)Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096 bytes
<2.4> ... amavis 28714 - - (28714-15) (!)run_command_copy: Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096 bytes
<2.4> ... amavis 28714 - - (28714-15) (!)NOTICE: HOLD reason: do_uncompress: run_ccpy: Exceeded storage quota 7040000 bytes by run_command_copy; last chunk 4096 bytes
So I investigated, and found the full log entries:
<2.6> 2019-05-25 15:29:58 Telcontar postfix 4365 - - C46623207AD: from=
On 05/26/2019 06:29 AM, Carlos E. R. wrote: <snip>
[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2D05C320ADE <2.5> 2019-05-25 15:29:59 Telcontar amavis 28714 - - (28714-15) Passed UNCHECKED {RelayedTaggedInternal}, MYNETS LOCAL [127.0.0.1]:45756 [209.85.208.196]
-> , Queue-ID: C46623207AD, Message-ID: , mail_id: xtCJxEl4h1M1, Hits: -, size: 14080, queued_as: 2D05C320ADE, dkim_sd=20161025:gmail.com, 206 ms <2.6> 2019-05-25 15:29:59 Telcontar postfix 28977 - - C46623207AD: to= , orig_to= , relay=127.0.0.1[127.0.0.1]:10024, delay=0.4, delays=0.19/0/0/0.21, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2D05C320ADE) <2.6> 2019-05-25 15:29:59 Telcontar postfix 4365 - - C46623207AD: removed There was indeed a mail sent to root from virusalert, identifuing the problem post. I then located it: a mail from the xfs mail list. I expected it to be huge, but it simply contains a 2.2 attachment named "xfs.img.bz2", sent with good intentions and not a virus. The problem is that it is an XFS partition debug image, which expands to 134,217,728 bytes! Of course that amavis had problems with it, LOL!
The mail passed with a warning in the subject line added, was not quarantined. And it came from my gmail account, who are rather suspicious folk when looking at spam or attachments.
I was surprised with the line:
[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2D05C320ADE <2.5> 2019-05-25 15:29:59 Telcontar amavis 28714 - - (28714-15) Passed UNCHECKED {RelayedTaggedInternal}, MYNETS
if it was actually doing what it ways it was doing (as well as the line above that skipped virus checking the last 4096 bytes when the message exceeded quota. Seems like there may be a couple of issues to investigate. -- David C. Rankin, J.D.,P.E.
On 27/05/2019 02.12, David C. Rankin wrote:
On 05/26/2019 06:29 AM, Carlos E. R. wrote: <snip>
The mail passed with a warning in the subject line added, was not quarantined. And it came from my gmail account, who are rather suspicious folk when looking at spam or attachments.
I was surprised with the line:
[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2D05C320ADE <2.5> 2019-05-25 15:29:59 Telcontar amavis 28714 - - (28714-15) Passed UNCHECKED {RelayedTaggedInternal}, MYNETS
if it was actually doing what it ways it was doing (as well as the line above that skipped virus checking the last 4096 bytes when the message exceeded quota.
Seems like there may be a couple of issues to investigate.
Yes. But it was not marked as virus, rather as an error. Normally in my configuration a virus is marked but passed; later procmail sees the mark and moves it to a different folder. I do not allow amavis to quarantine himself. This is a different case and has taken me by surprise. Amavis changed the subject line instead (or as well as) adding a mark to the headers. But amavis has no reason to suspect it is a virus, either. Amavis has a rule to block executables, but this one is not. I have to confirm that it was amavis who changed the subject line, though. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
participants (2)
-
Carlos E. R.
-
David C. Rankin