store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Fri Oct 18, 2019 9:22 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: ssimple email causing spamd 100% CPU
Unread postPosted: Fri Feb 27, 2015 7:34 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Can someone suggest how I might be able to trace the cause of a problem I'm having please?

On two out of three systems, every now and then an email comes in that causes spamd to hit 100% CPU and stay there. Eventually there's a timeout, the message isn't delivered, and the sending system retries. Until the sender gives up, the load on the systems can get quite high because each time the message is delivered spamd gets to 100% and stays there for 5 minutes (I think that's its timeout).

Sending the same problem email to a third system causes no problems at all and it is delivered without issues.

What's REALLY odd on the problem systems is that if I restart clamd (not spamassassin), the spamd process immediately stops going nuts - i.e. exactly the same result as I get when restarting spamassassin itself! I really don't get this!

All three systems run Centos 6, have Plesk, qmail, qmail-scanner, clamav, spamassassin and spamdyke. They are pretty much identical, but not absolutely identical in terms of config. I can't say what might be different -- only that things might have changed over the years they have been in service, even though they started with the same configs.

The emails that I've seen causing this issue all seem to have CSV attachments. They are not big. The last one was 2Mb.

The interaction between clamd and spamd is really puzzling me. It is as though spamd is waiting for clamd even though I wasn't aware that the two interact in any way. And of course I'd really like to figure out why the heck these emails are causing a problem in the first place.

Suggestions on where to start would be appreciated!

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: ssimple email causing spamd 100% CPU
Unread postPosted: Fri Feb 27, 2015 9:22 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
Can you intercept the message to look at it? I remember years ago something like this with a particularly crafted email message (market spam from vmware) that would run the cpu to 100%. It was caused by invalid mime format encoding.


Top
 Profile  
Reply with quote  
 Post subject: Re: ssimple email causing spamd 100% CPU
Unread postPosted: Fri Feb 27, 2015 11:11 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
I've got the message now. It LOOKS ok to the naked eye. Are there any tools that would check it for me? (also I'm actually forwarding the message, so it has been re-encapsulated I'd have thought?)

Scanning it with clamdscan, it completes in the blink of an eye.

Scanning it with spamassassin -D takes 145 seconds (all in processing the contents of the body) on the machine that doesn't like it at all, and 155 seconds on the machine that's happy with it!

Spamassassin really doesn't like the CVS - it contains many country names, including loads of african states which seems to be something SA is particularly keen to know about ;-)

I know there's some sort of 120 second timeout in spamassassin/qmail-scanner. I wonder if that has something to do with the problem? For example it times out, but qmail-scanner doesn't notice/care/something, and sends more data/same data/garbage data?

But if so, why does one system let it through (actually two -- I've tested on a another system which let it through).

SA gets bogged down when it gets to here (I've just put a few lines):

Feb 27 14:56:40.470 [2598] dbg: rules: compiled body tests
Feb 27 14:57:21.209 [2598] dbg: rules: ran body rule __SUBSCRIPTION_INFO ======> got hit: "Register"
Feb 27 14:57:22.887 [2598] dbg: rules: ran body rule __HAS_ANY_EMAIL ======> got hit: "k@sendingdomain.n"
Feb 27 14:57:27.903 [2598] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "F"
Feb 27 14:57:52.915 [2598] dbg: rules: ran body rule __NIGERIA ======> got hit: "Nigeria"
Feb 27 14:58:11.677 [2598] dbg: rules: ran body rule __BODY_TEXT_LINE ======> got hit: "F"
Feb 27 14:58:11.677 [2598] dbg: rules: ran body rule __BODY_TEXT_LINE ======> got hit: "F"
Feb 27 14:58:11.677 [2598] dbg: rules: ran body rule __BODY_TEXT_LINE ======> got hit: "F"
Feb 27 14:58:11.678 [2598] dbg: rules: ran body rule __BODY_TEXT_LINE ======> got hit: "W"
Feb 27 14:58:11.678 [2598] dbg: rules: ran body rule __BODY_TEXT_LINE ======> got hit: "K"
Feb 27 14:58:11.678 [2598] dbg: rules: ran body rule __BODY_TEXT_LINE ======> got hit: "S"
Feb 27 14:58:11.678 [2598] dbg: rules: ran body rule __BODY_TEXT_LINE ======> got hit: "B"
Feb 27 14:58:11.678 [2598] dbg: rules: ran body rule __BODY_TEXT_LINE ======> got hit: "F"
(loads and loads of letters and numbers)

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: ssimple email causing spamd 100% CPU
Unread postPosted: Fri Feb 27, 2015 11:24 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
AHA!

Changing the timeout in qmail-scanner.pl to 220 (from 120) allows the email to be received with no errors.

How odd. And obviously it doesn't resolve the issue. Nor explain why the other systems allow it in.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group