Topic: virus_scan FAILED and mail.log mad, Spam Attack? Help [SOLVED]
==== Required information ====
- iRedMail version: 0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: Ubuntu 12.04
- Related log if you're reporting an issue: /var/log/mail.log
Impossible to send/receive mails this morning. I check /var/log/mail.err :
May 18 23:13:47 ns3098045 amavis: (22052-01) (!!)TROUBLE in check_mail: virus_scan FAILED: AV: ALL VIRUS SCANNERS FAILED May 18 23:15:33 ns3098045 amavis: (04640-14) (!!)WARN: all primary virus scanners failed, considering backups
Then I check /var/log/mail.log :
May 19 08:30:28 ns3098045 postfix/postdrop: warning: mail_queue_enter: create file maildrop/960772.25480: Permission denied May 19 08:30:28 ns3098045 postfix/postdrop: warning: mail_queue_enter: create file maildrop/973424.25851: Permission denied May 19 08:30:29 ns3098045 postfix/postdrop: warning: mail_queue_enter: create file maildrop/17363.20819: Permission denied May 19 08:30:29 ns3098045 postfix/postdrop: warning: mail_queue_enter: create file maildrop/74294.14258: Permission denied
I have a 3 new lines written every second...?!
Then I check the size of mail.log :
root@ns35:/home# ls -ahl /var/log/mail.log -rw-r----- 1 syslog adm 1.1G May 19 08:32 /var/log/mail.log
The I check the size of my server partition :
root@ns3098045:/home/victor# df -h Filesystem Size Used Avail Use% Mounted on rootfs 20G 13G 5.8G 69% / udev 987M 4.0K 987M 1% /dev tmpfs 200M 300K 200M 1% /run /dev/sda1 20G 13G 5.8G 69% / none 5.0M 0 5.0M 0% /run/lock none 997M 4.0K 997M 1% /run/shm /dev/sda3 898G 274M 852G 1% /home /home/victor/.Private 898G 274M 852G 1% /home/victor/Private
and with top command, I see that PERL process is 100%.
After this, I feel there is a problem but I don't really know what. So I re-enabled greylisting in clubringer, and restarted my server. Now it seems quiet....
I'd be grateful if somebody could explain me what happened. My mail server worked perfectly for 3 months...Is it a spam attack?
Am I supposed to take any action?
Thank you for any help,