ssimple email causing spamd 100% CPU

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

ssimple email causing spamd 100% CPU

Unread post by faris »

Can someone suggest how I might be able to trace the cause of a problem I'm having please?

On two out of three systems, every now and then an email comes in that causes spamd to hit 100% CPU and stay there. Eventually there's a timeout, the message isn't delivered, and the sending system retries. Until the sender gives up, the load on the systems can get quite high because each time the message is delivered spamd gets to 100% and stays there for 5 minutes (I think that's its timeout).

Sending the same problem email to a third system causes no problems at all and it is delivered without issues.

What's REALLY odd on the problem systems is that if I restart clamd (not spamassassin), the spamd process immediately stops going nuts - i.e. exactly the same result as I get when restarting spamassassin itself! I really don't get this!

All three systems run Centos 6, have Plesk, qmail, qmail-scanner, clamav, spamassassin and spamdyke. They are pretty much identical, but not absolutely identical in terms of config. I can't say what might be different -- only that things might have changed over the years they have been in service, even though they started with the same configs.

The emails that I've seen causing this issue all seem to have CSV attachments. They are not big. The last one was 2Mb.

The interaction between clamd and spamd is really puzzling me. It is as though spamd is waiting for clamd even though I wasn't aware that the two interact in any way. And of course I'd really like to figure out why the heck these emails are causing a problem in the first place.

Suggestions on where to start would be appreciated!
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: ssimple email causing spamd 100% CPU

Unread post by scott »

Can you intercept the message to look at it? I remember years ago something like this with a particularly crafted email message (market spam from vmware) that would run the cpu to 100%. It was caused by invalid mime format encoding.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: ssimple email causing spamd 100% CPU

Unread post by faris »

I've got the message now. It LOOKS ok to the naked eye. Are there any tools that would check it for me? (also I'm actually forwarding the message, so it has been re-encapsulated I'd have thought?)

Scanning it with clamdscan, it completes in the blink of an eye.

Scanning it with spamassassin -D takes 145 seconds (all in processing the contents of the body) on the machine that doesn't like it at all, and 155 seconds on the machine that's happy with it!

Spamassassin really doesn't like the CVS - it contains many country names, including loads of african states which seems to be something SA is particularly keen to know about ;-)

I know there's some sort of 120 second timeout in spamassassin/qmail-scanner. I wonder if that has something to do with the problem? For example it times out, but qmail-scanner doesn't notice/care/something, and sends more data/same data/garbage data?

But if so, why does one system let it through (actually two -- I've tested on a another system which let it through).

SA gets bogged down when it gets to here (I've just put a few lines):

Feb 27 14:56:40.470 [2598] dbg: rules: compiled body tests
Feb 27 14:57:21.209 [2598] dbg: rules: ran body rule __SUBSCRIPTION_INFO ======> got hit: "Register"
Feb 27 14:57:22.887 [2598] dbg: rules: ran body rule __HAS_ANY_EMAIL ======> got hit: "k@sendingdomain.n"
Feb 27 14:57:27.903 [2598] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "F"
Feb 27 14:57:52.915 [2598] dbg: rules: ran body rule __NIGERIA ======> got hit: "Nigeria"
Feb 27 14:58:11.677 [2598] dbg: rules: ran body rule __BODY_TEXT_LINE ======> got hit: "F"
Feb 27 14:58:11.677 [2598] dbg: rules: ran body rule __BODY_TEXT_LINE ======> got hit: "F"
Feb 27 14:58:11.677 [2598] dbg: rules: ran body rule __BODY_TEXT_LINE ======> got hit: "F"
Feb 27 14:58:11.678 [2598] dbg: rules: ran body rule __BODY_TEXT_LINE ======> got hit: "W"
Feb 27 14:58:11.678 [2598] dbg: rules: ran body rule __BODY_TEXT_LINE ======> got hit: "K"
Feb 27 14:58:11.678 [2598] dbg: rules: ran body rule __BODY_TEXT_LINE ======> got hit: "S"
Feb 27 14:58:11.678 [2598] dbg: rules: ran body rule __BODY_TEXT_LINE ======> got hit: "B"
Feb 27 14:58:11.678 [2598] dbg: rules: ran body rule __BODY_TEXT_LINE ======> got hit: "F"
(loads and loads of letters and numbers)
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: ssimple email causing spamd 100% CPU

Unread post by faris »

AHA!

Changing the timeout in qmail-scanner.pl to 220 (from 120) allows the email to be received with no errors.

How odd. And obviously it doesn't resolve the issue. Nor explain why the other systems allow it in.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply