Help! high spamd processes since installing qmail-scanner

modom46 · Unread post by **modom46** » Tue May 30, 2006 7:13 pm

Hi,

I am having high loads today for these spamd child processes:
961 root 16 0 35036 32M 2216 S 17.7 3.2 0:04 0 spamd child
775 popuser 16 0 35104 33M 2108 S 14.1 3.3 0:03 0 spamd child

One site has gone down already. I rebooted apache but all these spamd child processes are very high, 16, 12, 11, etc.

What do I need to do to keep these down so my sites will stay up?

Thanks!

breun · Unread post by **breun** » Wed May 31, 2006 5:13 am

Strange, my spamd child processes are running as user qmailq (using qmail-scanner-1.25). I see you have one running as root and one running as popuser.

Unread post by **scott** » Wed May 31, 2006 7:06 am

the popuser ones are the psa-spamassassin processes

modom46 · Unread post by **modom46** » Wed May 31, 2006 11:19 am

Hi,

What can I do to get this load down? It is way up today also on these spamd processes. I have qmail-scanner-1.25-9.rhel3.art installed plus spamassassin-3.1.0-1

Should I remove the psa-spamassassin?

Do I need to change something to get the spamd child processes to run as user qmailq?

I did not install Art's spamassassin but left the one on there I had.

Please advise...my server is very slow.

32410 qmailq 23 0 22816 22M 480 R 57.0 2.2 0:02 0 clamd

spamd child hovers around 8, 9, 11, 12, 18, 36 and was 55 a little earlier.

More details:
31630 qmailq 16 0 34520 31M 2220 R 20.7 3.1 0:02 0 spamd child
22448 qmailq 15 0 36340 33M 2064 S 7.3 3.3 0:37 0 spamd child
692 qmailq 23 0 5584 5584 1920 R 5.1 0.5 0:00 0 /usr/bin/perl -T /var/qmail/bin/qmail-scanner-queue.pl
673 qmailq 23 0 5608 5608 1936 S 4.7 0.5 0:00 0 /usr/bin/perl -T /var/qmail/bin/qmail-scanner-queue.pl
688 qmailq 22 0 5560 5560 1916 S 4.3 0.5 0:00 0 /usr/bin/perl -T /var/qmail/bin/qmail-scanner-queue.pl
675 qmailq 20 0 22812 22M 480 S 3.1 2.2 0:00 0 clamd

Thanks!

modom46 · Unread post by **modom46** » Wed May 31, 2006 12:08 pm

Also in /var/spool/qmailscan/quarantine/new there are 3832 listings...is this normal?

Should these be removed? If so, can they be removed automatically?

Unread post by **scott** » Wed May 31, 2006 7:12 pm

try removing psa-spamassassin, on the 2nd post, yes you can delete them. Thats likely worm traffic.

nakediron · Unread post by **nakediron** » Thu Jun 01, 2006 12:45 am

By chance, are you using CentOS 4? I've had similar problems with high loads on my servers. But I just stumbled upon a post that seems to attribute this to a kernel issue...

http://www.atomicrocketturtle.com/forum ... .php?t=877

I'm gonna try compiling a new kernel tomorrow to see if it solves my problem.

modom46 · Unread post by **modom46** » Thu Jun 01, 2006 1:10 am

Hi,

I have centos 3.7 with plesk 8.

I uninstalled psa-spamassassin and now I am receiving all the emails that are marked as *****SPAM***** HIGH * into my inbox only if they are sent to a legitimate email address. Is this the way it is or will this stop later on? I have all my "mail preferences" in plesk admin set to "reject" instead of "bounce".

I am monitoring checking the loads but will be better to check in the morning when it's the highest.

Thanks!

jamesyeeoc · Unread post by **jamesyeeoc** » Thu Jun 01, 2006 2:41 am

modom46 wrote:I uninstalled psa-spamassassin and now I am receiving all the emails that are marked as *****SPAM***** HIGH * into my inbox only if they are sent to a legitimate email address. Is this the way it is or will this stop later on? I have all my "mail preferences" in plesk admin set to "reject" instead of "bounce".

The "reject"/"bounce" option is for handling emails addressed to non-existing mailnames. Emails to your legitimate accounts which score above the SA limit will be marked with ***SPAM*** and be delivered to the legitimate mailbox.

Qmail-scanner does have some options for site/server wide deleting/rejecting of Spam emails. However, use of these options may cause false-positive-flagged-emails ("good" email erroneously marked as Spam) to be rejected or deleted.

I know the qmail-scanner-queue.pl file is a bit daunting to sift through, but look for the sections:

# st: Spam messages with a score higher than
# (required_hits + sa_quarantine) should be quarantined.
# Only relevant if SpamAssassin is used.
# Score of 0 means deliver all messages. Defaults to 0.
my $sa_quarantine_site='0';

# st: If you enable sa-reject and sa-delete is properly set,
# messages with a score higher than (required_hits + sa_delete)
# will be rejected before the smtp session is closed.
# Otherwise they are just dropped silently. (1/0)
my $sa_reject_site='0';

# st: Spam messages with a score higher than
# (required_hits + sa_delete) should be deleted (or rejected).
# Only relevant if SpamAssassin is used. Score of 0
# means deliver all messages. Defaults to 0.
# If sa-quarantine is set, sa-delete must be greater.
my $sa_delete_site='0';

Use at your own discretion/risk. I am not recommending the use of any of these options, just detailing where you can set them.

modom46 · Unread post by **modom46** » Thu Jun 01, 2006 9:23 pm

Hi,

I am getting a little further with this.

I set these settings in qmail-scanner-queue.pl file:
my $sa_quarantine_site='2';
my $sa_delete_site='8';
my $sa_reject_site='1';

Everything was working fine until my server loads increased because of apache processes and child spamd and I had the plesk spamassassin (SpamAssassin support) installed but turned off. When the server slowed down I stopped httpd and restarted it and then the spamassassin in plesk showed it was running instead of off.

I uninstalled psa-spamassassin so it is greyed out now in plesk admin.

I just received a spam email that should have been stopped but the header showed "hits=5.6 required=5.0". Before I uninstalled the plesk spamassassin the spam number was set to "5" so according to the quarantine rules above it should have been "hits=5.6 required=7.0".

So is the plesk admin spamassassin that says "SpamAssassin support" in the updater section suppose to be installed along with the spamassassin-3.1.0-1
listed on the server?

Also in the plesk updater section there is one called:
"SPAM blocker for QMail daemon" which shows it is installed.

What is happening?

Thanks!

Unread post by **scott** » Fri Jun 02, 2006 7:54 am

try setting sa_delete to something lower, like 1, setting it to 8 means your system will reject if it scores required_hits + sa_delete, or 13 in your case (5 +

.

modom46 · Unread post by **modom46** » Fri Jun 02, 2006 9:38 am

Ok I changed sa_delete

A few questions ...

1. In /var/qmail/.spamassassin none of the listings are set including:
# How many points before a mail is considered spam.
# required_score
Should this be enabled for the "required hits" now that I don't have psa-spamassassin in plesk anymore?
The email header spam listing says it is "5" but have no idea where it gets that figure.

2. If an email is marked as spam and it is not spam how do you remove it being marked as spam?

3. Why am I getting these all the time still by "root"?
10370 root 16 0 37752 36M 1928 S 14.6 3.6 2:04 0 spamd child
This is the only thing that is showing as installed in the plesk updater section:
SPAM blocker for QMail daemon
Is this related to the spamd child listing and should it be removed?

4. I got this spam email this morning which should have been deleted automatically:
X-Spam-Status: No, hits=-76.5 required=5.0
76.5? How did this get through?

modom46 · Unread post by **modom46** » Fri Jun 02, 2006 12:34 pm

Hi,

Here is another spam email I got showing way over the hit threshold:
X-Spam-Status: No, hits=-67.2 required=5.0

This one came in totally blank in the From: and Subject fields and sent to one of my legitimate email addresses.

Thanks!

breun · Unread post by **breun** » Fri Jun 02, 2006 12:41 pm

The messages got negative hit points. Since -67.2 is not bigger than 5.0 it's not being tagged as spam.

jamesyeeoc · Unread post by **jamesyeeoc** » Fri Jun 02, 2006 12:43 pm

Both of those emails you have shown are actually *below* the threshold. Notice the minus sign

hits=-67.2