Weird thing (qmail, amavis, maildrop)

To: Debian ISP Mailing List <debian-isp@lists.debian.org>
Subject: Weird thing (qmail, amavis, maildrop)
From: Marcin Owsiany <porridge@debian.org>
Date: Fri, 25 Apr 2003 14:41:16 +0200
Message-id: <[🔎] 20030425124116.GA1911@melina.ds14.agh.edu.pl>
Mail-followup-to: Debian ISP Mailing List <debian-isp@lists.debian.org>

I have a weird problem with some virus messages getting corrupted (we
detect about 2 up to 3 such corrupted messages per month).
The box does about 50000 deliveries per day. I have no other reports
about corrupted messages, so I guess this is not some hardware issue.

First, a description of the message flow:

1. Qmail receives a message for a local user. 
2. qmail-lspawn invokes /var/qmail/bin/qmail-local, which is in fact a
symlink to a tweaked amavis-sh script.
3. The script invokes:
 cat | ${formail} -f -A "${X_Header_String}" >${tmpdir}/receivedmail

 which stores the message (read from stdin, which probably opened from
 the queue) to a file

4. The script MIME-unpacks the message with 

 ${metamail} -x${tmpdir}/unpacked/ < ${tmpdir}/receivedmail > /dev/null 2>&1

 ($metamail is /usr/local/bin/reformime in my case)

5. Since the message contains an attachment with filename ending with an
".exe", namely "Update136-20.exe", md5sum is ran on it (this is my
modification). md5sum reports "8f0730eec78b2c4f0586fe69c5f17983"

6. The script performs some further checks, however it does not modify
the file "receivedmail"

7. Since the virus scanners report no virii, the script finally calls:

 /var/qmail/bin/qmail-local-real "$@" < ${tmpdir}/receivedmail

 (that is the real qmail-local)

8. qmail-local runs maildrop, since the user doesn't have a .qmail file,
and maildrop is specified as the "defaultdelivery"

9. the user has only a skeletal .mailfilter file:

 FROM='his@address'
 to "./Maildir/"

10. maildrop delivers the file to the user's maildir

Now the weird thing:

When I take this message, extract the attachment and run md5sum on it,
it reports sum "4613a17f12531d21c683023ffa4b4a34". I get this sum when I
extract the message with mutt, reformime, or if I inject the message to
qmail again so it runs the above procedure once again.

I suspect the message gets corrupted somewhere between qmail-local and
user's maildir, but I have no idea how or when exactly this might
happen? The message looks properly formatted plaintext/html +
attachment. I can provide it if someone's interested.

The thing that bugs me most is that AVP doesn't detect that the message
is a virus during the first delivery, but does detect it on subsequent
deliveries.

I'm really puzzled. Any hints are welcome.

Marcin
-- 
Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

Reply to:

Prev by Date: Samba causing eth1 transmit timeout
Next by Date: [Help] Dose Anyone have Debian Woody FreeS/WAN through NAT Howto ???
Previous by thread: Samba causing eth1 transmit timeout
Next by thread: [Help] Dose Anyone have Debian Woody FreeS/WAN through NAT Howto ???
Index(es):
- Date
- Thread