Weird "Draining Input" mail loop

We upgraded from 3.0.0 to 3.0.2pre5 over the weekend.

Yesterday afternoon, we started getting an e-mail to our abuse address
that looks like a virus. We were getting the same e-mail from the same
person over and over so at first I thought their system was in a loop.
When I looked into it futher, I discovered that we only received the
message once. The loop is within RT. RT successfully delivers the
message, however the following two lines appear in the maillog over and
over (for each delivery):

timeout waiting for input from local during Draining Input

to="|/usr/local/rt3/bin/rt-mailgate --queue abuse-reports --action
correspond --url http://localhost/", ctladdr=<##STRIPPED##> (26/0),
delay=07:50:23, xdelay=00:03:02, mailer=prog, pri=1864651, dsn=4.0.0,
stat=Deferred: prog mailer (/bin/sh) exited with EX_TEMPFAIL

We have RT set to truncate attachements at 8k (if we could we would turn
off attachements completely but since RT treats the body of the message as
an attachment we can’t so that):

Set($MaxAttachmentSize , 8192); # 8k
Set($TruncateLongAttachments , 1);
Set($DropLongAttachments , 1);
Set($SendmailArguments,"-oi -t -ODeliveryMode=b -OErrorMode=m");

Looking in the mail queue, I see the message is about 392k:

-rw------- 1 root daemon 393671 May 6 16:15 dfh46NFISb055113
-rw------- 1 root daemon 1529 May 7 10:35 qfh46NFISb055113

I deleted the message from the queue to kill the loop.

I’m wondering if the size of the message is causing the problem. We have
received other large messages about this size (truncated of course) while
using 3.0.0 without any problems. Any ideas?

Our configuration:
FreeBSD 4.7 / rt3.0.2pre5 / Sendmail 8.12.6p2 / mysql 3.23.52 (InnoDB tables)
Apache/1.3.27 (Unix) mod_ssl/2.8.11 OpenSSL/0.9.6g mod_fastcgi/2.2.12

Regards,
Bill

Yesterday afternoon, we started getting an e-mail to our abuse address
that looks like a virus. We were getting the same e-mail from the same
person over and over so at first I thought their system was in a loop.
When I looked into it futher, I discovered that we only received the
message once. The loop is within RT. RT successfully delivers the
message, however the following two lines appear in the maillog over and
over (for each delivery):

Bizarre. My only guess is that the spam you got was in a weird encoding
that caused RT to panic. do you have a copy of the original message that
we can have a look at?

timeout waiting for input from local during Draining Input

to="|/usr/local/rt3/bin/rt-mailgate --queue abuse-reports --action
correspond --url http://localhost/", ctladdr=<##STRIPPED##> (26/0),
delay=07:50:23, xdelay=00:03:02, mailer=prog, pri=1864651, dsn=4.0.0,
stat=Deferred: prog mailer (/bin/sh) exited with EX_TEMPFAIL

We have RT set to truncate attachements at 8k (if we could we would turn
off attachements completely but since RT treats the body of the message as
an attachment we can’t so that):

Set($MaxAttachmentSize , 8192); # 8k
Set($TruncateLongAttachments , 1);
Set($DropLongAttachments , 1);
Set($SendmailArguments,"-oi -t -ODeliveryMode=b -OErrorMode=m");

Looking in the mail queue, I see the message is about 392k:

-rw------- 1 root daemon 393671 May 6 16:15 dfh46NFISb055113
-rw------- 1 root daemon 1529 May 7 10:35 qfh46NFISb055113

I deleted the message from the queue to kill the loop.

I’m wondering if the size of the message is causing the problem. We have
received other large messages about this size (truncated of course) while
using 3.0.0 without any problems. Any ideas?

Our configuration:
FreeBSD 4.7 / rt3.0.2pre5 / Sendmail 8.12.6p2 / mysql 3.23.52 (InnoDB tables)
Apache/1.3.27 (Unix) mod_ssl/2.8.11 OpenSSL/0.9.6g mod_fastcgi/2.2.12

Regards,
Bill


rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

http://www.bestpractical.com/rt – Trouble Ticketing. Free.

Bizarre. My only guess is that the spam you got was in a weird encoding
that caused RT to panic. do you have a copy of the original message that
we can have a look at?

I didn’t save the original, but I’ve got two more today that caused the
exact same problem.

As with yesterday’s message, the news ones definitely look like one of
those old MS Outlook virus/worm thingies… mime type of audio/x-wav with
names ending in .bat and .pif. All three from the same address so they
are now blocked…

I can tar and zip the raw files from the mail queue and send them where
ever you want. Just let me know.