This is odd. I tried to send a 650K zip file using my FQ mailbox to another FQ user's box and at the end of the upload, I repeatedly got a 554 error:

An unknown error has occurred. Subject 'Wednesday's Log', Account: 'Tom', Server: 'mail.mydomain.com', Protocol: SMTP, Server Response: '554 5.3.0 Message refused.', Port: 1025, Secure(SSL): No, Server Error: 554, Error Number: 0x800CCC6F

So I'm thinking maybe it's a transient thing and I then send the message using my Roadrunner mail box, and a minute later, it gets refused by FQ on the recipient side:

----- Transcript of session follows -----
... while talking to mx.futurequest.net.:
>>> DATA
<<< 554 Message refused.
554 5.0.0 Service unavailable

Is something going on? :dunno:

That is the error returned when the virus scanner (ClamAV) detects a suspected virus on the email.

What kind of email are you trying to send?

Just a simple zip to Chip with the daily ascii logs from his IPNation... I'll try to re-package them and see what happens.

If the compression ratio is too high, this can trigger a false virus detection. We did recently raise the ratio to a much higher threshold. Perhaps you can turn down the compression ratio?

Darn, I took the compression down as far as it would go with Winzip and still it balked. Finally I set it to no compression and it went through.

How recent was the change? I send zips all the time.

How recent was the change? I send zips all the time. The compression ratio was raised last November, to prevent ClamAV being triggered by high compression ratios. For regular zip files you should never see this problem, only with files that have an unusually high compression ratio of more than 1000:1, you can run into this.

The limit on the compression ratio is there to prevent so-called archive bombs (a small archive that expands to a huge file).

-Arthur

One of my users got the same result today. He tried to forward an email to me, and Thunderbird kicked it back as a 5.3.0 error - which translates to a 554. It turns out that it's a suspicious email, because it's spoofed to appear as if it came from our own domain and it had a suspicious attachment. So it appears ClamAV kicked it back when he tried to forward it, but ClamAV didn't catch it when it was sent originally to the server. Why would it get through the first time though?

So it appears ClamAV kicked it back when he tried to forward it, but ClamAV didn't catch it when it was sent originally to the server. Why would it get through the first time though?
It's really hard to answer questions like these without more specifics.

However, here is one possibility...
We have our ClamAV installation set up to update with new virus signatures hourly. I suppose it is possible that the virus signatures were updated in between these two sends, so that now the email is being blocked and originally it was not.

Thanks Sheila!

That would make sense to me.

Arthur: the files Tom referenced only have about a 10 to 1 compression ratio. Nowhere near 1000 to 1. Could this be some other issue? Clam is installed on my wife's dedicated server, and I make most of the admin decisions, so if there's issues, I'd like to know. Thanks for any info you can provide!

Tom: I'm on dial up at home, so sending large attachments is a pain. I've arranged with Chipmunk that I upload my log bundle zips to a private directory, email C the filename, then C downloads direct. There's probably no reason why you couldn't do that too.

I've even thought it'd be cool if the Viewer handled the uploads directly. There's already FTP download, so it'd probably be easy to add code to upload after creating a log bundle, then dummy up an email with the URL in it.

If you'd also find that useful, I'll suggest it to C.

to Chip with the daily ascii logs from his IPNation
"chip" is a nickname someone here created, purely as the first syllable of "chip munk". I gather C liked it, being somewhat obsessed about that group of rodents, so one shouldn't infer anything about gender from it.
*cough* Too bad there aren't any serious Firefly/Serenity fans here, or they'd be able to answer that question based on some crew pics submitted at the (now defunct) Universal fan site.

Note to the alleged forum Browncoat: see how easy it is to insert a completely gratuitous Firefly/Serenity reference? :P

Arthur: the files Tom referenced only have about a 10 to 1 compression ratio. Nowhere near 1000 to 1. Could this be some other issue? Clam is installed on my wife's dedicated server, and I make most of the admin decisions, so if there's issues, I'd like to know. Thanks for any info you can provide! Without seeing the files in question, it's not possible to provide more info and we can but speculate.

-Arthur

Here's more fun: last night I got the error again trying to send a zip, so I decided to just unzip and send the contents of that, which were all ASCII character logs as just files. Total of 6 files was right at a meg.

You guessed it: Another 554 error and no compressing at all. I tried a roadrunner mailbox and it bounced back with the error too. Weird!

So here's a cute twist. I got an obvious phishing message acting like it was Chase bank. I tried to forward it to Chase's abuse@ box because the fake site is still up, and that got rejected with... you guessed it... a 554 error.

So I can see how the system is blocking me from sending a clearly bad URL, but it would be for a good cause, I tell ya!

Tom, please upload (via FTP) those ZIP files into one of your accounts and send the path info to our Service Desk so that we may inspect them...

I'd like to see the original highly compressed file, as well as when you switched to a lower compression...

Thanks...

--
Terra
sysAdmin
FutureQuest

I eagerly await the autopsy report. :P

Obligatory completely gratuitous Firefly quote:
"Well, they want this body for something, and I'm guessing it ain't a proper burial."



Tom, I volunteered to hammer on the new reinjection filter, so C also sent me the latest dev snapshot of the Viewer. Just played around with the new Upload wizard (handy). Sounds like several testers were interested in that, too. :P

I tried to forward it to Chase's abuse@ box because the fake site is still up, and that got rejected with... you guessed it... a 554 error.I don't know about their abuse@ box, but I reported Chase through InterNIC's Whois Data Problem Report System (http://wdprs.internic.net/) in November.


When I emailed domadmin@chase.com I received the following auto-reply that said the delivery failed:
-------------
This is a delivery status notification, automatically generated by MTA ima5.jpmchase.com on Fri, 18 Nov 2005 18:34:50 -0500
Regarding recipient(s) : domadmin@chase.com
Delivery status : Failed. Message could not be delivered to the domain - chase.com. Failed to accept the recipients.
MTA Response :550
The original message headers are included as attachment.
-------------

The attachment was initially unreadable, but after I configured Windows to open DAT files in Notepad, I was able to read it. It said:
-------------
Reporting-MTA: dns; ima5.jpmchase.com
Content-Type: text/plain

Final-Recipient: rfc822;domadmin@chase.com
Diagnostic-Code: smtp; 550 5.1.1 &lt;domadmin@chase.com&gt;... User unknown
Remote-MTA: dns; 170.148.48.225
Action: failed
Status: 5.0.0
-------------

Explanation:
I tried emailing Chase to ask how I can report phishing to them, which is what I'm supposed to do according to The National Consumers League, which says (at http://www.fraud.org/tips/internet/phishing.htm ) "Report phishing, whether you're a victim or not. Tell the company or agency that the phisher was impersonating." Chase's online forms require personal information such as a telephone number, and they're not intended for phishing reports, so I wanted to email them.And I followed up as recently as January 4th when InterNIC emailed me to see if it's fixed. It wasn't. I don't know why they're so reluctant to shut down the website of a large bank. I didn't see an abuse@... email address anywhere.