anomy-list

Message backlog

From: Andrew McGill (33530@xyz.molar.is)
Date: Thu 24 Jan 2002 - 06:26:13 UTC

  • Next message: Dijk, Diederick van: "Sanitizer adds empty line to my plain text attachment"

    After trying to figure out why I keep receiving the same spam
    over and over, I read the headers, and noticed that it was
    already a few weeks old. On our mail server, I found sendmail
    going crazy, trying madly to write to a pipe, with a dead anomy
    process hanging from it (this was after a reboot):

    gabriel:~ # ps uaxf | egrep 'sendmail|anomy|sanit'
    root 1905 49.9 1.6 4184 2128 pts/0 R 07:48 2:40 | \_ sendmail: ./g092a1W24075: from queue
    anomy 1906 0.0 0.0 0 0 ? Z 07:48 0:00 | \_ [sanitize <defunct>]
    root 639 0.0 1.2 4208 1608 ? S 07:27 0:00 sendmail: accepting connections
    root 640 87.3 1.4 4292 1888 ? R 07:27 22:46 \_ sendmail: ./g0AIDaW12285: from queue
    anomy 664 0.0 0.0 0 0 ? Z 07:27 0:00 \_ [sanitize <defunct>]
    root 964 0.0 1.4 4120 1796 ? S 07:31 0:00 \_ /usr/sbin/sendmail -FCronDaemon -odi -oem root

    Hmm. 100% CPU. It keeps getting EPIPE, but retrying anyway ...

    gabriel:~ # strace -p 640 2>&1 | head
    write(9, "OCTBADo3un///+VuyIAAGgEEBuDagTo\n"..., 8192) = -1 EPIPE (Broken pipe)
    --- SIGPIPE (Broken pipe) ---
    write(9, "OCTBADo3un///+VuyIAAGgEEBuDagTo\n"..., 8192) = -1 EPIPE (Broken pipe)
    --- SIGPIPE (Broken pipe) ---
    write(9, "OCTBADo3un///+VuyIAAGgEEBuDagTo\n"..., 8192) = -1 EPIPE (Broken pipe)
    --- SIGPIPE (Broken pipe) ---
    write(9, "OCTBADo3un///+VuyIAAGgEEBuDagTo\n"..., 8192) = -1 EPIPE (Broken pipe)
    --- SIGPIPE (Broken pipe) ---
    write(9, "OCTBADo3un///+VuyIAAGgEEBuDagTo\n"..., 8192) = -1 EPIPE (Broken pipe)
    --- SIGPIPE (Broken pipe) ---
    gabriel:~ #

    Once every few days we get a copy of message headers, without the
    actual attachment. The offending message (which has been in the
    queue for a week) consists entirely of an attached EXE (a virus,
    of course):

    ----VES9U7SP
    Content-Type: text/plain; charset="us-ascii"

    ----VES9U7SP
    Content-Type: application/octet-stream; name="OOIAFGOO.EXE"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="OOIAFGOO.EXE"

    TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    //snip
    AAAAAAAAAAAAAAAA

    ----VES9U7SP--

    The other mails which are not making it are all EXE's or PIF's. I
    have the sendmail queue files for anyone who is interested.

    Any ideas?



    hosted by molar.is