Spam assassin and Qmail Scanner issue after update to 2.2.5

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
User avatar
JnascECSI
Forum Regular
Forum Regular
Posts: 306
Joined: Mon Apr 14, 2008 8:29 am
Location: Rhode Island

Spam assassin and Qmail Scanner issue after update to 2.2.5

Unread post by JnascECSI »

After updating ossec and asl this morning i'm getting the following Ossec messages almost every minute. Anyone have a clue on what could have caused this.

OSSEC HIDS Notification.
2010 Mar 24 09:45:06

Received From: inet3170->/var/log/psa/maillog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Mar 24 09:45:05 inet3170 spamd[30589]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /var/qmail/mailnames///.spamassassin/auto-whitelist.lock.inetxxxx.xxxxxxxx.com.30589 for /var/qmail/mailnames///.spamassassin/auto-whitelist.lock: No such file or directory



--END OF NOTIFICATION



OSSEC HIDS Notification.
2010 Mar 24 09:45:06

Received From: inet3170->/var/log/psa/maillog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Mar 24 09:45:05 inet3170 X-Qmail-Scanner-2.08st: [inetxxxx.xxxxxxx.com126943830179031522] Unable to close pipe to /var/qmail/bin/qmail-queue.orig [61] (#4.3.0) - Illegal seek



--END OF NOTIFICATION
James Nascimento
Chief Information Officer
East Commerce Solutions, Inc.
22 Morris Lane
East Providence, RI 02914
Ph. 800-527-5395 x263
Fax. 888-999-5891
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Spam assassin and Qmail Scanner issue after update to 2.2.5

Unread post by scott »

That means that whatever user spamd is running as cant write to /var/qmail/mailnames///.spamassassin/
User avatar
JnascECSI
Forum Regular
Forum Regular
Posts: 306
Joined: Mon Apr 14, 2008 8:29 am
Location: Rhode Island

Re: Spam assassin and Qmail Scanner issue after update to 2.2.5

Unread post by JnascECSI »

All i see is either popuser or root using spamd when running TOP command. what i don't understand is how this was not a problem before then after i updated asl and ossec this morning and now all of a sudden this is happening.

And not sure where to begin to fix it.
James Nascimento
Chief Information Officer
East Commerce Solutions, Inc.
22 Morris Lane
East Providence, RI 02914
Ph. 800-527-5395 x263
Fax. 888-999-5891
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Spam assassin and Qmail Scanner issue after update to 2.2.5

Unread post by scott »

Probably because it wasnt able to detect it before. ASL 2.2.5 & OSSEC 2.4 can detect mail events now (like smtp/pop/imap brute forcing). Previous versions couldnt parse the mail logs. This has probably been happening for a while, just wasnt being reported.
User avatar
JnascECSI
Forum Regular
Forum Regular
Posts: 306
Joined: Mon Apr 14, 2008 8:29 am
Location: Rhode Island

Re: Spam assassin and Qmail Scanner issue after update to 2.2.5

Unread post by JnascECSI »

So good guess is to probably remove spamassassin and qmail-scanner and re-install them all or am i way off? But if i do that does'nt it remove the atomic-scanner also? not sure what order i should choose.
James Nascimento
Chief Information Officer
East Commerce Solutions, Inc.
22 Morris Lane
East Providence, RI 02914
Ph. 800-527-5395 x263
Fax. 888-999-5891
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: Spam assassin and Qmail Scanner issue after update to 2.2.5

Unread post by breun »

That Illegal seek message is caused by a bug in Plesk's qmail. There is a patched qmail-queue here: http://forum.parallels.com/showpost.php ... stcount=51

If you're using qmail-scanner make sure you replace /var/qmail/bin/qmail-queue.orig with the patched version (and match that file's ownership and permissions) instead of /var/qmail/bin/qmail-queue.
Lemonbit Internet Dedicated Server Management
Post Reply