[Mimedefang] Some virus rejected, some temp failed?

Scott Oertel freebsd at scottevil.com
Thu Jan 25 12:25:12 EST 2007


I have this situation where most all emails with virus attachments are 
getting rejected, as they should, and now recently emails with this 
certain virus attached are getting temp failed, "please try again 
later". I've checked our greylist, they've already passed the greylist 
so for some reason they're getting temp failed and i'm not sure why.

here is some log info:

### example of what it SHOULD normally do, and does:

[root at host log]# grep l0PFvdOe069418 spamlog
Jan 25 07:57:42 host  mimedefang.pl[20624]: 
MDLOG,l0PFvdOe069418,virus,Trojan.Postcard-eml-2,68***0,<jim at mail.l********.com>,<social@******>, 
You've received a greeting from a family member!

[root at host log]# grep l0PFvdOe069418 maillog
Jan 25 07:57:42 host sm-mta[69418]: l0PFvdOe069418: 
from=<jim at mail.l********.com>, size=2673, class=0, nrcpts=1, 
msgid=<20070125061057.B7CDF36E300F at mail.l********.com>, proto=ESMTP, 
daemon=MTA, relay=a****n13.pacbell.net [****70]
Jan 25 07:57:42 host sm-mta[69418]: l0PFvdOe069418: Milter: data, 
reject=554 5.7.1 Virus Trojan.Postcard-eml-2 found in mail - rejected
Jan 25 07:57:42 host sm-mta[69418]: l0PFvdOe069418: to=<social@******>, 
delay=00:00:00, pri=32673, stat=Virus Trojan.Postcard-eml-2 found in 
mail - rejected

### example of a temp fail with virus:

Jan 25 08:45:27 host mimedefang.pl[20624]: 
MDLOG,l0PGj6i6003318,virus,Trojan.Downloader-656,2***.76,<p**pinfo at ha********net>,<brid**t at ra****en****m>,Warning: 
could not send message for past 4 hours

[root at host log]# grep l0PGj6i6003318 maillog
Jan 25 08:45:15 host sm-mta[3318]: l0PGj6i6003318: 
from=<p**pinfo at ha********net>, size=813352, class=0, nrcpts=1, 
msgid=<200701211939.l0LJTJIx023035 at ha********net>, proto=ESMTP, 
daemon=MTA, relay=ha********net [20****6]
Jan 25 08:47:15 host sm-mta[3318]: l0PGj6i6003318: Milter: data, 
reject=451 4.3.2 Please try again later
Jan 25 08:47:15 host sm-mta[3318]: l0PGj6i6003318: 
to=<brid**t at ra****en****m>, delay=00:02:06, pri=843352, stat=Please try 
again later


Here is my mimedefang config related to the virus scanner:


sub filter_begin {
    my($entity) = @_;
    if ($SuspiciousCharsInHeaders) {
        md_graphdefang_log('suspicious_chars');
    return action_bounce("Message rejected because of suspicious 
characters in headers");
    }

    # Copy original message into work directory as an "mbox" file for 
virus-scanning
    # md_copy_orig_msg_to_work_dir_as_mbox_file();

    # Scan for viruses if any virus-scanners are installed
    my($code, $category, $action) = message_contains_virus();

    # Lower level of paranoia - only looks for actual viruses
    $FoundVirus = ($category eq "virus");

    if ($FoundVirus) {
    md_graphdefang_log('virus', $VirusName, $RelayAddr);
    return action_bounce("Virus $VirusName found in mail - rejected");
    }

    if ($action eq "tempfail") {
    action_tempfail("Problem running virus-scanner");
    md_syslog('warning', "Problem running virus scanner: code=$code, 
category=$category, action=$action");
    }
}


Anybody have any ideas why this could be happening?


Thanks,
Scott Oertel



More information about the MIMEDefang mailing list