spam comes through

[martin_68]

after running the server a few weeks, more and more spam comes through. It seems that spamd dies, here a part of the log

Feb 14 19:15:06 mailgate-1 qmail-scanner[3365]: Clear:RC:0(206.131.237.27):SA:0(?/?): 30.03897

any ideas?

[breun]

What does ps aux | grep spamd say?

[martin_68]

What does ps aux | grep spamd say?

[root@mailgate-1 ~]# ps aux | grep spamd
root 2233 0.0 0.8 43368 35752 ? Ss 04:03 0:07 /usr/bin/spamd -d -u qmailq -q -x -c -m50 -r /var/run/spamd.pid
qmailq 14894 1.4 0.9 49744 41276 ? S 09:00 0:26 spamd child
qmailq 18387 0.4 0.8 45484 36956 ? S 09:29 0:00 spamd child
root 18561 0.0 0.0 5084 660 pts/0 S+ 09:30 0:00 grep spamd

[breun]

SpamAssassin seems to be running. I guess the (?/?) means that some timeout triggered, possibly due to a blacklist not being reachable or your server load being too high to process the message in time.

[martin_68]

where can I configure the timeout and the number of retrys? The load should be no problem because the server has 2 Dualcore Opteron CPUs and 4GB Ram

[scott]

Yeah thats failing safe, the default test time is 30 seconds, and if that is exceeded spamc will fail "open". Youve got 2 problems here, the first is that you're exceeding the timeout, you can adjust that in /var/qmail/bin/qmail-scanner-queue.pl

my $spamc_binary='/usr/bin/spamc -t 30";

the 2nd problem is that you're exceeding the timeout. It shouldnt take 30 seconds to scan a message on your box unless
1) you have network issues
2) you arent using a local DNS server (nameserver 127.0.0.1 on /etc/resolv.conf)
3) you've been shunned by one of the P2P signature services (dcc, razor, pyzor)
4) your system is being overwhelmed. A month or so ago I added in rate limiting to ucspi-tcp for this situation. You can rate limit based on IP and/or load on the system.

Typically on my systems it takes 5-10 seconds to process a message, so thats what you want to shoot for. Mine were exceeding that level because of the volume of traffic to the box (my spamtrap is really really popular). So the rate limiting in ucspi-tcp cleaned this up immediately. I use the following in /etc/tcpserver/smtp.rules

:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl",MAXLOAD="350",MAXCONNIP="2",MAXCONNC="5",DIEMSG="421 Service temporarily not avalable"

Which means I throttle when the load gets to 3.5, limit 2 connections per IP, or 5 connections per Class C network. Exceeding these thresholds and you get that 421 message.

When you're done, you need to run /usr/bin/maketcprules, and restart smtpd (svc-restart smtpd)

[martin_68]

Yeah thats failing safe, the default test time is 30 seconds, and if that is exceeded spamc will fail "open". Youve got 2 problems here, the first is that you're exceeding the timeout, you can adjust that in /var/qmail/bin/qmail-scanner-queue.pl

my $spamc_binary='/usr/bin/spamc -t 30";

I changed

my $spamc_binary='/usr/bin/spamc -t 30";

to

my $spamc_binary='/usr/bin/spamc -t 60";

Typically on my systems it takes 5-10 seconds to process a message

on my systems too, I have enabled dcc, razor, pyzor, ixhash and fuzzy_ocr (timeout 15 seconds!), so maybe in some rare cases scanning took more than 30 seconds

[breun]

I use the following in /etc/tcpserver/smtp.rules

:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl",MAXLOAD="350",MAXCONNIP="2",MAXCONNC="5",DIEMSG="421 Service temporarily not avalable"

Which means I throttle when the load gets to 3.5, limit 2 connections per IP, or 5 connections per Class C network. Exceeding these thresholds and you get that 421 message.

When you're done, you need to run /usr/bin/maketcprules, and restart smtpd (svc-restart smtpd)

I'm tuning our Project Gamera box and found this interesting. I only see /etc/tcpcontrol instead of /etc/tcpserver. I guess that's what you meant?

[scott]

Yeah the name changed a few revs ago. Its /etc/tcpcontrol now.

[spaceout]

I was also having this same problem and changed this setting to:

my $spamc_binary='/usr/bin/spamc -t 60";

However, if I ever run qmail-scanner-reconfigure it gets set back to 30. Is there a place I can change it so it is more permanent?

Thanks!

[Galactic Zero]

read this: http://atomicrocketturtle.com/forum/vie ... +bin+spamc

[modom46]

Hi,

I am having this same spam problem and some really nasty spam is coming through.

[root@godslove ~]# ps aux | grep spamd
root 2788 0.1 4.1 46592 41892 ? Ss Apr16 2:30 /usr/bin/spamd -d -c -m5 -H -r /var/run/spamd.pid
qscand 20351 5.7 4.8 53408 48556 ? S 22:07 1:51 spamd child
root 28573 4.7 4.6 51792 46924 ? S 22:28 0:33 spamd child
root 32747 0.0 0.0 3896 672 pts/0 S+ 22:40 0:00 grep spamd

/var/qmail/bin/qmail-scanner-queue.pl
my $spamc_binary='/usr/bin/spamc';

Should I add:
-t 60";
like this?
my $spamc_binary='/usr/bin/spamc' -t 60";

I followed this link but I don't have /usr/bin/qmail-scanner listing like it said:

http://atomicrocketturtle.com/forum/vie ... +bin+spamc

I am really overloaded with this spam. I have dcc, pyzor, and all the rest protections on here also and it was doing good until a few weeks ago.

My etc/resolv.conf is:
nameserver 127.0.0.1
nameserver 63.247.80.42
nameserver 63.247.80.43
domain godslove.designhosting.biz
nameserver 209.51.128.19
nameserver 63.247.77.198

Thanks!

[scott]

sure, that would make spamc run 60 seconds, vs the default 30.

[Galactic Zero]

This is the file you need to find to make the changes permanent:

#/usr/share/qmail-scanner/configure

your path may differ but shouldn't.

[breun]

This is the file you need to find to make the changes permanent:

#/usr/share/qmail-scanner/configure

your path may differ but shouldn't.

It should, actually. It's qmail-scanner-reconfigure.