[Mimedefang] 0-byte attachments

Stewart mimedefang at f8.com.au
Mon Nov 28 03:24:21 EST 2005


[Apologies for being flustered and hitting send before i'd added some  
proper diagnostification :-) let's start again]


Hi List..

mimedefang 2.51-2 on debian with sendmail 8.13.1-16, clamav 0.85.1-2  
and spamassassin 3.0.2-1 on a 2.4GHz Celeron with 2G RAM is working  
like a charm, until....


All of a sudden in the last week or so i'm getting complaints of 0- 
byte attachments* appearing from various senders via various relays.  
I haven't changed my MD config in months so initially i blamed sender- 
side virus activity generating fake messages. Furthermore i can't see  
anything in my logs that would indicate mimedefang has suddenly  
decided to remove attachments without warning - lots of sober-killing  
activity but the regular messages aren't being logged irregularly, so  
far as i can see.

but still. something untoward is happening and it involves missing  
mime parts, as per this example message body:

 >>
Content-Type: multipart/mixed;
         boundary="----=_NextPart_000_027D_01C5F1CC.860CB7D0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1478
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478
X-Scanned-By: MIMEDefang 2.51 on 192.168.1.1

This is a multi-part message in MIME format.

------=_NextPart_000_027D_01C5F1CC.860CB7D0
Content-Type: multipart/alternative;
         boundary="----=_NextPart_001_027E_01C5F1CC.860CB7D0"

------=_NextPart_001_027E_01C5F1CC.860CB7D0
Content-Type: text/plain;
         charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline


------=_NextPart_001_027E_01C5F1CC.860CB7D0--

------=_NextPart_000_027D_01C5F1CC.860CB7D0
Content-Type: application/vnd.ms-excel;
         name="IN - 2006 1POS order form 112505.xls"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="IN - 2006 1POS order form  
112505.xls"


------=_NextPart_000_027D_01C5F1CC.860CB7D0--


<<EOF

..so MD would have to be under suspicion at this stage - well perhaps  
it's MD/Sendmail and the unusually high number of simultaneous  
connections caused by the sober attack.. but md-mx-ctrl seems happy:


# md-mx-ctrl  msgs
1709
# md-mx-ctrl  status
Max slaves: 10
Slave 0: idle
Slave 1: stopped
Slave 2: idle
Slave 3: stopped
Slave 4: stopped
Slave 5: stopped
Slave 6: stopped
Slave 7: stopped
Slave 8: stopped
Slave 9: stopped
# md-mx-ctrl  load
Load:             Msgs:       Msgs/Sec:    Avg ms/scan:   Avg Busy  
Slaves:
10 Sec               0            0.00             0.0            1.00
1 Min               1            0.02          2171.0            1.00
5 Min               6            0.02           792.8            1.00
10 Min              15            0.03           589.1            1.00




The only clue i can find from the mail log is thus:


> Nov 25 17:09:35 myserver sm-mta[28204]: jAP69Y0C028204:  
> from=<person at isp.net.au>, size=78548, class=0, nrcpts=2,  
> msgid=<000501c5f186$c1626550$0800000a at computer>, proto=ESMTP,  
> daemon=MTA, relay=04.mx.isp.com [ip.ip.ip.ip]

and

> Nov 28 16:23:20 myserver sm-mta[3206]: jAS5NJWx003206:  
> from=<person at isp.net.au>, size=185514, class=0, nrcpts=2,  
> msgid=<000501c5f3db$c6facdc0$0800000a at computer>, proto=ESMTP,  
> daemon=MTA, relay=02.mx.isp.com [ip.ip.ip.ip]

which is the exact same message - first time it came through with an  
empty attachment but when resent the attachment came through  
unharmed. (fwiw, a .zip file but other file types have also gone  
missing including .pdf and .jpg which aren't in MD's list of bad  
filenames either) I can see the size= difference there but is that  
log entry before or after it's been through mimedefang, i'm not sure?

Anyway after some more forensics i'm starting to think that i may  
have inadvertently solved the problem on the weekend when i did a bit  
of a disk-space-juggle to free up some room on the /var and /  
partitions.. it would seem when the users were complaining to me  
earlier today they were neglecting to mention this all happened last  
week and doesn't seem to have happened today.

So right now my panic subsides, just slightly, but i'd like to know  
why mimedefang might be passing on messages without their attachments  
and not warning the users inline, or me via syslog, that there's some  
sort of problem ... that wouldn't be an approved behaviour i'm sure! :-/

lastly fwiw here's the md.conf (the filter is pretty much the default  
slightly tweaked for local needs)


MX_USER=defang
SYSLOG_FACILITY=mail
KEEP_FAILED_DIRECTORIES=yes  #no sign of any failed directories  
either now you mention it
MX_RELAY_CHECK=yes
MX_RECIPIENT_CHECK=no
MX_STATS_SYSLOG=no
MX_REQUESTS=100
MX_MINIMUM=2
MX_MAXIMUM=10
MX_LOG_SLAVE_STATUS_INTERVAL=1200
MX_IDLE=300
MX_BUSY=300
MX_QUEUE_SIZE=10
MX_EMBED_PERL=yes



many thanks for your time again and (hopefully) suggestions. :)

..S.






More information about the MIMEDefang mailing list