[clamav-win32] Fw: Long bursts of inbound traffic from clamd

Rich Tepper rtepper at mccarter.org
Tue Oct 23 22:00:57 CEST 2007


Jeff

I have been seeing this also.  Running in debug mode showed this (I
apologize for the poor pasting job):

LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/358490229/aoladp?targe
t=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/1535965831/aoladp?targ
et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/549135835/aoladp?targe
t=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/358100775/aoladp?targe
t=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/1208146879/aoladp?targ
et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/-2146799554/aoladp?tar
get=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/1380155871/aoladp?targ
et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/1754485370/aoladp?targ
et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/1109276555/aoladp?targ
et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/31720177/aoladp?target
=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/882929591/aoladp?targe
t=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/406806840/aoladp?targe
t=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/973045234/aoladp?targe
t=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/1394750689/aoladp?targ
et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/1652469958/aoladp?targ
et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/853712414/aoladp?targe
t=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/1437552535/aoladp?targ
et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/1109238927/aoladp?targ
et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/1239947862/aoladp?targ
et=_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)
LibClamAV Warning: URL
http://ar.atwola.com/link/93227468/3453579/aoladp?target=
_blank&border=0 will not be scanned (FOLLOWURLS limit 5 was reached)

It repeated continuously until clamd was stopped.  Right now I have
added an exception to prevent clam from scanning links with
ar.atwola.com in it until I figure out what is going on and that seems
to have stopped the problem (although I have only had it running well
for about 2 hours now).  I know this isn't much help but at least you
know it isn;t only you.

-Rich

-----Original Message-----
From: clamav-win32-bounces at lists.clamav.net
[mailto:clamav-win32-bounces at lists.clamav.net] On Behalf Of Jeff
Sent: Tuesday, October 23, 2007 3:55 PM
To: clamav-win32 at lists.clamav.net
Subject: [clamav-win32] Fw: Long bursts of inbound traffic from clamd

Correction...... this has been happening since Friday, not Wednesday.


----- Original Message -----
From: "Jeff" <clamavlist at bedrox.com>
To: <clamav-win32 at lists.clamav.net>
Sent: Tuesday, October 23, 2007 3:25 PM
Subject: [clamav-win32] Long bursts of inbound traffic from clamd


> Since last Wednesday our mail server has seen frequent long bursts
(upwards
of
> 30-60 minutes each) of inbound traffic of 1-2 Mbps.  Since this is a
mail
> server (running Windows Server 2003) I first thought the mail server
was
under
> a DOS or spam attack.  Not so.
>
> Shutting off all services, one by one through process of elimination,
revealed
> the culprit-- spamd.exe which runs as a service.  Every time one of
these
> periods of sustained traffic occurs, we can immediately halt it by
stopping
> the clamd service.
>
> This is possibly UDP traffic, because "netstat -n" does not show any
> established connections.
>
> We upgraded to the latest Clam version a few weeks ago, but this
particular
> problem has only been happening since last Wednesday.   I've
completely
> un-installed ClamAV 0.91.2 and re-installed, but that has not helped.
>
> Anyone else seeing this, or have any clues what might be happening?
>
>
> _______________________________________________
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32


_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32


More information about the clamav-win32 mailing list