anomy-list

Message backlog

From: Andrew McGill (33530@xyz.molar.is)
Date: Thu 24 Jan 2002 - 06:26:13 UTC

Next message: Dijk, Diederick van: "Sanitizer adds empty line to my plain text attachment"

Previous message: Peter Williams: "RE: Re: Recommended virus scanner programs."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

After trying to figure out why I keep receiving the same spam
over and over, I read the headers, and noticed that it was
already a few weeks old. On our mail server, I found sendmail
going crazy, trying madly to write to a pipe, with a dead anomy
process hanging from it (this was after a reboot):

gabriel:~ # ps uaxf | egrep 'sendmail|anomy|sanit'
root 1905 49.9 1.6 4184 2128 pts/0 R 07:48 2:40 | \_ sendmail: ./g092a1W24075: from queue
anomy 1906 0.0 0.0 0 0 ? Z 07:48 0:00 | \_ [sanitize <defunct>]
root 639 0.0 1.2 4208 1608 ? S 07:27 0:00 sendmail: accepting connections
root 640 87.3 1.4 4292 1888 ? R 07:27 22:46 \_ sendmail: ./g0AIDaW12285: from queue
anomy 664 0.0 0.0 0 0 ? Z 07:27 0:00 \_ [sanitize <defunct>]
root 964 0.0 1.4 4120 1796 ? S 07:31 0:00 \_ /usr/sbin/sendmail -FCronDaemon -odi -oem root

Hmm. 100% CPU. It keeps getting EPIPE, but retrying anyway ...

gabriel:~ # strace -p 640 2>&1 | head
write(9, "OCTBADo3un///+VuyIAAGgEEBuDagTo\n"..., 8192) = -1 EPIPE (Broken pipe)
--- SIGPIPE (Broken pipe) ---
write(9, "OCTBADo3un///+VuyIAAGgEEBuDagTo\n"..., 8192) = -1 EPIPE (Broken pipe)
--- SIGPIPE (Broken pipe) ---
write(9, "OCTBADo3un///+VuyIAAGgEEBuDagTo\n"..., 8192) = -1 EPIPE (Broken pipe)
--- SIGPIPE (Broken pipe) ---
write(9, "OCTBADo3un///+VuyIAAGgEEBuDagTo\n"..., 8192) = -1 EPIPE (Broken pipe)
--- SIGPIPE (Broken pipe) ---
write(9, "OCTBADo3un///+VuyIAAGgEEBuDagTo\n"..., 8192) = -1 EPIPE (Broken pipe)
--- SIGPIPE (Broken pipe) ---
gabriel:~ #

Once every few days we get a copy of message headers, without the
actual attachment. The offending message (which has been in the
queue for a week) consists entirely of an attached EXE (a virus,
of course):

----VES9U7SP
Content-Type: text/plain; charset="us-ascii"

----VES9U7SP
Content-Type: application/octet-stream; name="OOIAFGOO.EXE"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="OOIAFGOO.EXE"

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//snip
AAAAAAAAAAAAAAAA

----VES9U7SP--

The other mails which are not making it are all EXE's or PIF's. I
have the sendmail queue files for anyone who is interested.

Any ideas?

Next message: Dijk, Diederick van: "Sanitizer adds empty line to my plain text attachment"
Previous message: Peter Williams: "RE: Re: Recommended virus scanner programs."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

hosted by molar.is