[clamav-users] Errir parsing PNG files and 451_mail_server_temporarily_rejected_message

iulian stan iulian at sphere.ro
Tue Oct 20 13:49:39 UTC 2020 

Dears,

I can agree with what Ged said. Running qmail/simscan/vpopmail it's only 
feasible if you have enough programming language and YOU will continue 
discover and do your own patches for the problems that can appear. I did 
it for several years but too much is too much.

What version of simscan do you have?
Is you clamav user able to read the files from  /var/qmail/simscan/ ? 
Most probably this is the problem and it was there since day 1 and/or 
you change the group(/etc/group) settings.
Anyhow, look at Roberto blog(he is another ambitious guy to continue 
with qmail) because you might find really useful things related to 
simscan there. This also include possible bugs around ripemime.
https://notes.sagredo.eu/en/qmail-notes-185/simscan-38.html


//
Best regards,
Iulian Stan

On 2020-10-20 14:53, G.W. Haywood via clamav-users wrote:
> Hi there,
> 
> On Mon, 19 Oct 2020, Pablo Murillo wrote:
> 
>>  I don't know if the PNG error is present from day 1 or not
> 
> When exactly was day 1?
> 
> Do you have any evidence that your virus scanning has ever worked at
> all?  Have you tried to test it e.g. by sending things like the EICAR
> test file?
> 
> https://en.wikipedia.org/wiki/EICAR_test_file
> 
> Some of the references at the foot of that page may be useful to you.
> 
>> I'm not using milter, I'm using SimScan ...
> 
> I'm not sure how much help I'll be able to give you with Simscan.  The
> little searching I've done about it doesn't fill me with confidence.
> 
> While writing my previous mail it crossed my mind to ask if you knew
> that your version of Spamdyke was six years old, but I decided to let
> it pass.  But I do now think that you need to look at your toolchain.
> Do you know exactly which version of Simscan you're using?  It seems
> there are several.  Looking at
> 
> https://sourceforge.net/projects/simscan/files/
> 
> for example, Simscan was last updated on October 29th 2007.  Looking at
> 
> https://github.com/qmail/simscan
> 
> it was cleaned up and 'modernized' around 2014 but the changelog looks
> rather sparse from 2007 onwards.
> 
> I had a quick look for the alleged Simscan mailing list archives and
> failed to find anything.
> 
> Have you applied any patches to Simscan?  See for example
> 
> https://freebsdrocks.net/simscan.shtml
> 
> The last 13 years has seen ClamAV continuously developed, but not
> Simscan.  I can't point to evidence of incompatibility between the
> two, but it's possible that some may have arisen.  The ClamAV team
> will continue development.  As far as compatibility testing goes I
> don't know how high Simscan will be on their priority list.  Micah
> will probably be able to tell us if they test with it - Micah?
> 
> It appears that Simscan may use 'ripmime' to split up a mail into its
> components and write them to files, before scanning with clamd using
> the clamd CONTSCAN command.  There are other ways to go about it and I
> wonder if it might be where the problem lies.  You might want to look
> for the possibility of saving the temporary files which Qmail writes
> for clamd to scan, so that you can look at them, and for example scan
> them manually.  AFAICT the latest release of 'ripmime' is from 2011,
> nearly a decade old.  All the links given in 'Support options' at
> 
> https://pldaniels.com/ripmime/
> 
> seem to be dead, empty or irrelevant and looking at
> 
> https://github.com/inflex/ripMIME/blob/master/CHANGELOG
> 
> virtually nothing has been done to it since 2008.
> 
> In the past, whenever I've tried to use software with histories like
> this it's been a very unhappy experience.  It's possible that such old
> software has no vulnerabilities, but it's also possible that it's at
> least as big a threat as many of those that you're trying to protect
> against by using ClamAV.
> 
>> I'm sending clamd.conf and 8 minutes off log (clamd.log) attached
> 
> It might help to see more of the log - complete from restart, and with
> a few controlled emails only so that it's easy to see what's going on;
> but I wonder if it's worth the trouble of investigating until you've
> taken a step back and given your toolchain some thought.
> 
> If, despite the risks I've pointed out, you are comfortable with it,
> then I'd suggest you set up a test-bed system which has no Internet
> connection and push some local mail through it to see how it behaves,
> of course watching the logs carefully all the while.
> 
> Have you asked about this on a Qmail mailing list?
> 
> --
> 
> 73,
> Ged.
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list