Getting Crucified By Spam

pridedata · Unread post by **pridedata** » Tue Jan 30, 2007 10:46 am

CPU usage 89% and Higher on avg.

I am using spamhause.org for RBL, SPF and spamassassin at level 4.

I could use some guidance on how to eliminate this insurge of filth.

I will post whatever conf , log files you need.

Any help would be greatly appreciated.

pridedata · Unread post by **pridedata** » Tue Jan 30, 2007 10:48 am

I am getting so much that it is causing spamd to die

kwebdesign · Unread post by **kwebdesign** » Tue Jan 30, 2007 11:57 am

I hope that 'spamhause.org' was a typo, because if not, then it won't do any good.

Here are the RBL's that I am using:

sbl.spamhaus.org;bl.spamcop.net;dnsbl.njabl.org;cbl.abuseat.org;list.dsbl.org

Some more info about your system would be helpful. For instance, are you using psa-spamassassin, or ART's spamassassin with qmail-scanner? Are you updating your sa rules regularly (such as via rulesdujour)?

Also, what version of PSA are you running? I saw a significant reduction in CPU usage when I applied a particular update in December.

pridedata · Unread post by **pridedata** » Tue Jan 30, 2007 1:02 pm

centos 4.4
psa-spamassassin with dcc razor pyzor
plesk 8.1

I can only place one in the psa admin area
sbl.spamhaus.org;bl.spamcop.net;dnsbl.njabl.org;cbl.abuseat.org;list.dsbl.org

is there a conf file where i can add this?

kwebdesign · Unread post by **kwebdesign** » Tue Jan 30, 2007 1:39 pm

You should be able to add them all just like I listed them - separated by semicolons (I copied that list right out of my Plesk mail config screen).

I would recommend removing psa-spamassassin and installing ART's packages. The downside is that you lose the ability to configure it for each mailbox via the Plesk interface, but it works server-wide as mail comes in instead of working on each individual mailbox.

While you are at it, I would recommend adding clamav (antivirus), but make sure you are not using Plesk's dr-web - they don't play nice together.

Be sure to run qmail-scanner-reconfigure after you install it.

Code: Select all

yum install spamassassin clamav qmail-scanner
qmail-scanner-reconfigure

Also, check out rulesdujour to update your spamassassin rules. There's another thread on this here: http://atomicrocketturtle.com/forum/viewtopic.php?t=601

pridedata · Unread post by **pridedata** » Tue Jan 30, 2007 2:57 pm

Ive done this and now I cannot send mail. server times out. I can however send mail via horde.

pridedata · Unread post by **pridedata** » Tue Jan 30, 2007 3:06 pm

sending of mail is now down. I'll have customers calling before end of day. any other assistance is appreciated.

kwebdesign · Unread post by **kwebdesign** » Tue Jan 30, 2007 3:35 pm

Is Qmail running? Check the service in PSA. I've had it stop and not restart before when doing an install like this.

pridedata · Unread post by **pridedata** » Tue Jan 30, 2007 3:37 pm

/etc/init.d/qmail status
qmail-send (pid 13825) is running...

but shows as not running in psa-admin

kwebdesign · Unread post by **kwebdesign** » Tue Jan 30, 2007 5:18 pm

Try restarting the service. Also, check your mail log (/user/local/psa/var/log/maillog) for any indication of what's going on there.

If you can't get it to restart, try removing the RBL's. If that works, add them back one at a time. There have been a few reports of qmail not starting up correctly if it can't connect to the RBL's (although they are all working from my machine).

pridedata · Unread post by **pridedata** » Tue Jan 30, 2007 5:47 pm

confirmed using any rbl service causes qmail to stop running. I have removed it but that places back at the mercy of the spammers.

kwebdesign · Unread post by **kwebdesign** » Wed Jan 31, 2007 11:47 am

You said you are using Plesk 8.1 - do you have the latest patches (check the updater)? The initial version of 8.1 did not work correctly when multiple RBL's were entered.

http://forum.swsoft.com/showthread.php?threadid=38543

pridedata · Unread post by **pridedata** » Wed Jan 31, 2007 12:38 pm

8.10 is current. if add the stuff in by hand qmail bombs out also.

this doesn't work
server_args = /usr/sbin/rblsmtpd -r cbl.abuseat.org -r zen.spamhaus.org -r relays.ordb.org -r bl.spamcop.net /var/qmail/bin/relaylock /var/qmail/bin/greylist /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true

this does
server_args = /usr/sbin/rblsmtpd /var/qmail/bin/relaylock /var/qmail/bin/greylist /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true

mind you now that i added greylisting it helps but still getting hit hard.

kwebdesign · Unread post by **kwebdesign** » Wed Jan 31, 2007 1:59 pm

Well, I know that relays.ordb.org is no longer in service, and will definitely cause qmail to hang while trying to resolve it. Have you tried with just one RBL that is known to be working, like spamhaus?

Also, note that the zen.spamhaus.org list includes all known dynamic IP addresses (such as ISP's like Comcast, BellSouth, etc.). I tried that one and could no longer send any mail from my house (cable modem), so I switched back to just using the sbl list.

pridedata · Unread post by **pridedata** » Thu Feb 01, 2007 9:43 pm

well here is the current news as long as i dont try to start qmail from the plesk admin interface it will retain my settings in smtp(s)_psa . as soon as i try that I lose all of them. but for now, all settings are in place and working and the spammers can got to the deepest pit of hades for all i care.