spam comes through

[modom46]

The three nameserver listings in the resolv.conf file all say the same thing when running nslookup bogus.spam-free-zone.com IP:
Non-authoritative answer:
Name: bogus.spam-free-zone.com
Address: 64.187.125.2
with the same IP address.

The resolv.conf has only these now:
nameserver 127.0.0.1
nameserver 209.51.128.19
nameserver 63.247.77.198

I set the timeout for 90 seconds and now get another spam email a little over 90 seconds that came through.

Code: Select all

Received: 	from mail.bluestonerealty.com by godslove.designhosting.biz (envelope-from <ceodometer@thetech.org>, uid 2020) with qmail-scanner-2.02st  (spamassassin: 3.2.4. perlscan: 2.02st.   Clear:RC:0(216.195.196.242):SA:0(?/?):.  Processed in 90.049246 secs); 22 Apr 2008 20:23:01 -0000
	Received: 	from mail.bluestonerealty.com (HELO sales2) (216.195.196.242) by dh-usa.net with SMTP; 22 Apr 2008 16:21:31 -0400
	Received: 	from mail pickup service by boost.org with Microsoft SMTPSVC; Tue, 22 Apr 2008 17:19:47 +0500
	X-Spam-Status: 	No, hits=? required=?

I'm totally lost.

[scott]

Thats a really long processing time, is your system under a lot of load or something?

[modom46]

It's been running above 1. when all these problems started happening.

It has never been this high and I have a better server than a year ago.

top - 18:34:56 up 3:31, 1 user, load average: 1.23, 1.49, 1.40
Tasks: 160 total, 3 running, 157 sleeping, 0 stopped, 0 zombie
Cpu(s): 30.5%us, 6.0%sy, 0.0%ni, 53.2%id, 9.5%wa, 0.2%hi, 0.7%si, 0.0%st
Mem: 1002764k total, 974100k used, 28664k free, 78196k buffers
Swap: 4192944k total, 2180k used, 4190764k free, 326520k cached

Lots of spam taking 65% and downward for the cpu.

Do you think I should uninstall and reinstall all the spam programs?

[modom46]

This morning I uninstalled spam assassin, clamd, razor, dcc, pyzor and qmail-scanner and my loads went down.

I reinstalled just spamassassin, clamd, and qmail-scanner and now my loads shot up again over 2 but are coming down now. I realize the load will go up a little but it was over 2.00 before uninstalling. I have left off dcc, pyzor, and razor and will monitor this since this is not the busiest part of the day and had more spam at night in the early hours than during the day. Still seems a little high compared to the traffic and spam are very high for the cpu use.

Is there anything else I can do to further reduce the load?

Thanks!

[scott]

Nah a load of 1 or 2 is nothing. Its probably the network checks, are any of the services blocking queries from your system?

[modom46]

Now it's spiking to over 3 and running over 2.5 mostly.

This has really never run this high before when the rest, dcc, razor, and pyzor were installed also.

[scott]

Thats not high, 300 is high

[modom46]

LOL 300 and my server would blow!

The problem is still there.

Just got a spam:

Code: Select all

Received: 	from ppp-58-9-55-51.revip2.asianet.co.th by godslove.designhosting.biz (envelope-from <support@comerica.com>, uid 2020) with qmail-scanner-2.02st  (spamassassin: 3.2.4. perlscan: 2.02st.   Clear:RC:0(58.9.55.51):SA:0(?/?):.  Processed in 30.070588 secs); 23 Apr 2008 13:48:34 -0000
	Received: 	from ppp-58-9-55-51.revip2.asianet.co.th (58.9.55.51) by mail.dh-usa.net with SMTP; 23 Apr 2008 09:48:03 -0400
	X-Spam-Status: 	No, hits=? required=?

It shouldn't take 30 seconds to scan an email with only spamassassin, clamd, and qmail-scanner installed should it?

[scott]

Not unless something was slowing it down, no.

[modom46]

Do you know where I could look?

Funny thing about this is that most of the other spam is marked within reason and these several that are getting through are over 30 seconds. I cannot find the link to why the majority today are marked within reason and some are over 30 seconds.

I will know more in the morning as I usually get the most spam that have been coming in lately at this time.

[scott]

Check your logs, or use a sniffer. Test out rbl's, pyzor, dcc, and razor manually, etc.

[modom46]

I checked my mail logs and apache logs but didn't see anything unusual.

I do not have pyzor, dcc, or razor installed at this time. That's why I thought 30 seconds to process was unusual for some emails.

[modom46]

From the maillog when spamd stopped and a few spam were delivered. Where would I look for this problem?

Code: Select all

Apr 23 22:34:55 godslove qmail-remote-handlers[7824]: to=corena_herniter@hotmail.com
Apr 23 22:34:55 godslove spamc[7832]: connect to spamd on 127.0.0.1 failed, retrying (#1 of 3): Connection refused
Apr 23 22:34:55 godslove qmail: 1209004495.919457 delivery 157: success: 65.54.245.40_accepted_message./Remote_host_said:_250_<BAY0-MC12-F17oi2Cq10098c92b@bay0-mc12-f17.bay0.hotmail.com>_Queued_mail_for_delivery/
Apr 23 22:34:55 godslove qmail: 1209004495.919674 status: local 0/10 remote 0/20
Apr 23 22:34:55 godslove qmail: 1209004495.919781 end msg 38635192
Apr 23 22:34:56 godslove spamc[7832]: connect to spamd on 127.0.0.1 failed, retrying (#2 of 3): Connection refused
Apr 23 22:34:56 godslove spamc[7840]: connect to spamd on 127.0.0.1 failed, retrying (#1 of 3): Connection refused
Apr 23 22:34:57 godslove spamc[7832]: connect to spamd on 127.0.0.1 failed, retrying (#3 of 3): Connection refused
Apr 23 22:34:57 godslove spamc[7840]: connect to spamd on 127.0.0.1 failed, retrying (#2 of 3): Connection refused
Apr 23 22:34:58 godslove spamc[7832]: connection attempt to spamd aborted after 3 retries
Apr 23 22:34:58 godslove qmail-queue-handlers[7843]: Handlers Filter before-queue for qmail started ...
Apr 23 22:34:58 godslove qmail-queue-handlers[7843]: from=wen-mei@barbarajordan.com
Apr 23 22:34:58 godslove qmail-queue-handlers[7843]: to=info@designhosting.biz
Apr 23 22:34:58 godslove qmail-queue-handlers[7843]: hook_dir = '/var/qmail//handlers/before-queue'
Apr 23 22:34:58 godslove qmail-queue-handlers[7843]: recipient[3] = 'info@designhosting.biz'   
Apr 23 22:34:58 godslove qmail-queue-handlers[7843]: handlers dir = '/var/qmail//handlers/before-queue/recipient/info@designhosting.biz'
Apr 23 22:34:58 godslove qmail-queue-handlers[7843]: starter: submitter[7844] exited normally

Apr 23 22:35:00 godslove qmail-remote-handlers[7867]: from=wallacesomedaycaldwell@aaamath.com
Apr 23 22:35:00 godslove qmail-remote-handlers[7867]: to=fitness909@gmail.com
Apr 23 22:35:07 godslove relaylock: /var/qmail/bin/relaylock: mail from 194.30.0.31:55148 (smtp5.sarenet.es)
Apr 23 22:35:08 godslove spamc[7886]: connect to spamd on 127.0.0.1 failed, retrying (#1 of 3): Connection refused
Apr 23 22:35:09 godslove spamc[7886]: connect to spamd on 127.0.0.1 failed, retrying (#2 of 3): Connection refused
Apr 23 22:35:10 godslove spamc[7886]: connect to spamd on 127.0.0.1 failed, retrying (#3 of 3): Connection refused
Apr 23 22:35:11 godslove spamc[7886]: connection attempt to spamd aborted after 3 retries
Apr 23 22:35:11 godslove qmail-queue-handlers[7889]: Handlers Filter before-queue for qmail started ...
Apr 23 22:35:11 godslove qmail-queue-handlers[7889]: from=
Apr 23 22:35:11 godslove qmail-queue-handlers[7889]: to=tanegral1976@LITTLE-CHAZ.COM
Apr 23 22:35:11 godslove qmail-queue-handlers[7889]: hook_dir = '/var/qmail//handlers/before-queue'
Apr 23 22:35:11 godslove qmail-queue-handlers[7889]: recipient[3] = 'tanegral1976@little-chaz.com'
Apr 23 22:35:11 godslove qmail-queue-handlers[7889]: handlers dir = '/var/qmail//handlers/before-queue/recipient/tanegral1976@little-chaz.com'
Apr 23 22:35:11 godslove qmail-queue-handlers[7889]: starter: submitter[7890] exited normally

[scott]

That means spamd isnt running

[modom46]

[root@godslove ~]# spamd -d
[423] warn: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
[423] warn: server socket setup failed, retry 2: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
[423] error: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
spamd: could not create INET socket on 127.0.0.1:783: Address already in use

Please tell me how to fix this?