Page 1 of 2
Getting Crucified By Spam
Posted: Tue Jan 30, 2007 10:46 am
by pridedata
CPU usage 89% and Higher on avg.
I am using spamhause.org for RBL, SPF and spamassassin at level 4.
I could use some guidance on how to eliminate this insurge of filth.
I will post whatever conf , log files you need.
Any help would be greatly appreciated.
Posted: Tue Jan 30, 2007 10:48 am
by pridedata
I am getting so much that it is causing spamd to die
Posted: Tue Jan 30, 2007 11:57 am
by kwebdesign
I hope that 'spamhause.org' was a typo, because if not, then it won't do any good.
Here are the RBL's that I am using:
sbl.spamhaus.org;bl.spamcop.net;dnsbl.njabl.org;cbl.abuseat.org;list.dsbl.org
Some more info about your system would be helpful. For instance, are you using psa-spamassassin, or ART's spamassassin with qmail-scanner? Are you updating your sa rules regularly (such as via rulesdujour)?
Also, what version of PSA are you running? I saw a significant reduction in CPU usage when I applied a particular update in December.
Posted: Tue Jan 30, 2007 1:02 pm
by pridedata
centos 4.4
psa-spamassassin with dcc razor pyzor
plesk 8.1
I can only place one in the psa admin area
sbl.spamhaus.org;bl.spamcop.net;dnsbl.njabl.org;cbl.abuseat.org;list.dsbl.org
is there a conf file where i can add this?
Posted: Tue Jan 30, 2007 1:39 pm
by kwebdesign
You should be able to add them all just like I listed them - separated by semicolons (I copied that list right out of my Plesk mail config screen).
I would recommend removing psa-spamassassin and installing ART's packages. The downside is that you lose the ability to configure it for each mailbox via the Plesk interface, but it works server-wide as mail comes in instead of working on each individual mailbox.
While you are at it, I would recommend adding clamav (antivirus), but make sure you are not using Plesk's dr-web - they don't play nice together.
Be sure to run qmail-scanner-reconfigure after you install it.
Code: Select all
yum install spamassassin clamav qmail-scanner
qmail-scanner-reconfigure
Also, check out rulesdujour to update your spamassassin rules. There's another thread on this here:
http://atomicrocketturtle.com/forum/viewtopic.php?t=601
Posted: Tue Jan 30, 2007 2:57 pm
by pridedata
Ive done this and now I cannot send mail. server times out. I can however send mail via horde.
Posted: Tue Jan 30, 2007 3:06 pm
by pridedata
sending of mail is now down. I'll have customers calling before end of day. any other assistance is appreciated.
Posted: Tue Jan 30, 2007 3:35 pm
by kwebdesign
Is Qmail running? Check the service in PSA. I've had it stop and not restart before when doing an install like this.
Posted: Tue Jan 30, 2007 3:37 pm
by pridedata
/etc/init.d/qmail status
qmail-send (pid 13825) is running...
but shows as not running in psa-admin
Posted: Tue Jan 30, 2007 5:18 pm
by kwebdesign
Try restarting the service. Also, check your mail log (/user/local/psa/var/log/maillog) for any indication of what's going on there.
If you can't get it to restart, try removing the RBL's. If that works, add them back one at a time. There have been a few reports of qmail not starting up correctly if it can't connect to the RBL's (although they are all working from my machine).
Posted: Tue Jan 30, 2007 5:47 pm
by pridedata
confirmed using any rbl service causes qmail to stop running. I have removed it but that places back at the mercy of the spammers.
Posted: Wed Jan 31, 2007 11:47 am
by kwebdesign
You said you are using Plesk 8.1 - do you have the latest patches (check the updater)? The initial version of 8.1 did not work correctly when multiple RBL's were entered.
http://forum.swsoft.com/showthread.php?threadid=38543
Posted: Wed Jan 31, 2007 12:38 pm
by pridedata
8.10 is current. if add the stuff in by hand qmail bombs out also.
this doesn't work
server_args = /usr/sbin/rblsmtpd -r cbl.abuseat.org -r zen.spamhaus.org -r relays.ordb.org -r bl.spamcop.net /var/qmail/bin/relaylock /var/qmail/bin/greylist /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
this does
server_args = /usr/sbin/rblsmtpd /var/qmail/bin/relaylock /var/qmail/bin/greylist /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
mind you now that i added greylisting it helps but still getting hit hard.
Posted: Wed Jan 31, 2007 1:59 pm
by kwebdesign
Well, I know that relays.ordb.org is no longer in service, and will definitely cause qmail to hang while trying to resolve it. Have you tried with just one RBL that is known to be working, like spamhaus?
Also, note that the zen.spamhaus.org list includes all known dynamic IP addresses (such as ISP's like Comcast, BellSouth, etc.). I tried that one and could no longer send any mail from my house (cable modem), so I switched back to just using the sbl list.
Posted: Thu Feb 01, 2007 9:43 pm
by pridedata
well here is the current news as long as i dont try to start qmail from the plesk admin interface it will retain my settings in smtp(s)_psa . as soon as i try that I lose all of them. but for now, all settings are in place and working and the spammers can got to the deepest pit of hades for all i care.