Back in June I sent myself the EICAR test signature to make sure my postfix/amavis/spamassassin etc setup was working properly. I didn't notice at the time, but this somehow created a tear in the space-time continuum or something whereby every 5 minutes the mail server sends it to itself, over and over.
Oct 7 20:25:39 yavin postfix/smtpd[5598]: connect from localhost[127.0.0.1]
Oct 7 20:25:39 yavin postfix/smtpd[5598]: 886FA1A14B0: client=localhost[127.0.0.1]
Oct 7 20:25:39 yavin postfix/cleanup[5600]: 886FA1A14B0: message-id=<[email protected]>
Oct 7 20:25:39 yavin postfix/smtpd[5598]: disconnect from localhost[127.0.0.1]
Oct 7 20:25:39 yavin postfix/qmgr[2911]: 886FA1A14B0: from=<>, size=1610, nrcpt=1 (queue active)
Oct 7 20:25:39 yavin postfix/smtpd[5598]: connect from localhost[127.0.0.1]
Oct 7 20:25:39 yavin postfix/smtpd[5598]: A9C0E1A14B1: client=localhost[127.0.0.1]
Oct 7 20:25:39 yavin postfix/cleanup[5600]: A9C0E1A14B1: message-id=<[email protected]>
Oct 7 20:25:39 yavin postfix/smtp[5601]: 886FA1A14B0: to=<[email protected]>, relay=192.168.178.251[192.168.178.251]:25, delay=0.23, delays=0.1/0.04/0.03/0.06, dsn=2.6.0, status=sent (250 2.6.0 <[email protected]> Queued mail for delivery)
Oct 7 20:25:39 yavin postfix/qmgr[2911]: 886FA1A14B0: removed
Oct 7 20:25:39 yavin postfix/smtpd[5598]: disconnect from localhost[127.0.0.1]
Oct 7 20:25:39 yavin postfix/qmgr[2911]: A9C0E1A14B1: from=<[email protected]>, size=2037, nrcpt=1 (queue active)
Oct 7 20:25:39 yavin amavis[2720]: (02720-06) Blocked INFECTED (Eicar-Test-Signature), <[email protected]> -> <[email protected]>, quarantine: [email protected], mail_id: AyuN8taIpfBV, Hits: -, size: 576, 606 ms
Oct 7 20:25:39 yavin postfix/smtp[5601]: A9C0E1A14B1: to=<[email protected]>, relay=192.168.178.251[192.168.178.251]:25, delay=0.09, delays=0.04/0/0/0.04, dsn=2.6.0, status=sent (250 2.6.0 <[email protected]> Queued mail for delivery)
Oct 7 20:25:39 yavin postfix/qmgr[2911]: A9C0E1A14B1: removed
I stumbled across the issue when I changed the configuration today to route virus-infected mail to the [email protected] address rather than to files on the spam server. Seems this has been re-sending every 5 minutes for four months now.
I seemed to halt it briefly after rebooting the spam server at 7pm tonight and thought it resolved, but at 8:16pm I got the message again, and every 5 minutes since. It's starting to drive me slightly insane.
Help?
Edit: On changing the configuration back to storing viruses on the server rather than in a mailbox, the issue continues:
Oct 7 22:05:40 yavin amavis[5476]: (05476-01) Blocked INFECTED (Eicar-Test-Signature), <[email protected]> -> <[email protected]>, quarantine: virus-QhKp9pHFTZiG, mail_id: QhKp9pHFTZiG, Hits: -, size: 576, 795 ms
Just instead of e-mails I get files, every 5 minutes.
Edit 2: New full logs after config reversion and restarts of Postfix and Amavis:
Oct 8 02:43:40 yavin postfix/smtpd[12710]: connect from localhost[127.0.0.1]
Oct 8 02:43:40 yavin postfix/smtpd[12710]: 2DD331A1600: client=localhost[127.0.0.1]
Oct 8 02:43:40 yavin postfix/cleanup[12706]: 2DD331A1600: message-id=<[email protected]>
Oct 8 02:43:40 yavin postfix/smtpd[12710]: disconnect from localhost[127.0.0.1]
Oct 8 02:43:40 yavin postfix/qmgr[10957]: 2DD331A1600: from=<[email protected]>, size=2040, nrcpt=1 (queue active)
Oct 8 02:43:40 yavin amavis[10975]: (10975-14) Blocked INFECTED (Eicar-Test-Signature), <[email protected]> -> <[email protected]>, quarantine: virus-nB9ZAvBkol-I, mail_id: nB9ZAvBkol-I, Hits: -, size: 579, 475 ms
Oct 8 02:43:40 yavin postfix/smtp[12711]: 2DD331A1600: to=<[email protected]>, relay=192.168.178.251[192.168.178.251]:25, delay=0.11, delays=0.05/0/0/0.05, dsn=2.6.0, status=sent (250 2.6.0 <[email protected]> Queued mail for delivery)
Oct 8 02:43:40 yavin postfix/qmgr[10957]: 2DD331A1600: removed
The problem is your Amavis setup.
Your quarantine destination seems to be a mail address. So Amavis injects the virus mail back into Postfix to be delivered to that address. Postfix now decides to scan the mail first and delegates to Amavis. Amavis recognizes the virus and tries to quarantine it by delivering to the quarantine mail address. So ...
You get the vicious circle, right? Either quarantine mails into folder or database, or define an exception to not scan the quarantine-mails for viruses.
Edit to the edit of the questioneer
Now the Message-IDs are different. Meaning they are different messages with (surprisingly) the same content. This makes me believe that it is either a cron job or some kind of monitoring software that keeps on sending the same content (not the identical mail).
And at the end James found out that his Nagios monitoring software keeps on sending ...
Oh boy.
So, I figured it out. Turns out it was a Nagios script that checks whether amavis is running, and more importantly for this particular issue, checks that the AV engine is working... by sending it the EICAR virus.
http://exchange.nagios.org/directory/Plugins/Anti-2DVirus/Amavis/check_amavis/details is the script in question if anyone is interested.
Thanks all to those that tried to help, you definitely helped me figure it all out!
That may be the case, depending on your setup of postfix and amavis. If postfix tries to send it somewhere and amavis intercepts the sending (as indicated in the third last line), the message will stay in the queue. Normally, the queue would be deleted after 72h of not sending it, but if amavis also blocks the deletion of the message (as it is another access to a virii-file), the message never gets out of the queue.
Did you already try simply deleting the send-queue for this message or even address via the admininistrative tools of postfix?