Page 1 of 1
lot more spam
Posted: Sun Apr 12, 2009 12:21 am
by modom46
Hi,
I ran the clamd .95.1 update the other day and am seeing a lot more spam and server load increasing.
I checked the /var/log/clamav/clamd.log but don't see any errors.
cpu shows spamd child by qscand at 25, 26, 30, or higher.
How can I bring this back down?
freshclam gives this:
Code: Select all
[root@godslove ~]# freshclam
ClamAV update process started at Sat Apr 11 23:19:19 2009
main.cld is up to date (version: 50, sigs: 500667, f-level: 38, builder: sven)
nonblock_connect: connect timing out (30 secs)
Can't connect to port 80 of host db.us.clamav.net (IP: 208.67.80.27)
Trying host db.us.clamav.net (194.47.250.218)...
Downloading daily-9225.cdiff [100%]
daily.cld updated (version: 9225, sigs: 38712, f-level: 42, builder: guitar)
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 41, recommended = 42
DON'T PANIC! Read http://www.clamav.net/support/faq
Database updated (539379 signatures) from db.us.clamav.net (IP: 194.47.250.218)
Clamd successfully notified about the update.
Re: lot more spam
Posted: Sun Apr 12, 2009 9:12 am
by scott
Ok you're mixing a bunch of unrelated things here, so lets try to break them up
1) spam in general, its never going to be consistent. If you're not using dcc, razor, and pyzor already definitely check those out (yum install dcc razor-agents pyzor). I'd also check out the greylisting packages if you havent already, qgreylist or spamdyke
2) clamav has spam signatures, but its not strictly for spam. Its really more of a backup for image spam detection
3) check out the zen.spamhaus.org rbl
4) the freshclam update messages are fine, its safe to ignore them.
Re: lot more spam
Posted: Sun Apr 12, 2009 9:51 am
by modom46
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Current functionality level = 41, recommended = 42
I read this at the clamav site so was concerned about it. It also said being OUTDATED had to do with the scanner. A scanner update was not in the 0.95 update the other day.
What does WARNING: Current functionality level = 1, required = 2 mean?
The functionality level of the database determines which scanner engine version is required to use all of its signatures. If you don’t upgrade immediately you will be missing the latest viruses.
I have these installed ... dcc, razor, and pyzor.
My load didn't stay up like this before the 0.95.1 update.
This link,
http://zen.spamhaus.org/ goes to a failed page.
Re: lot more spam
Posted: Sun Apr 12, 2009 1:16 pm
by biggles
Re: lot more spam
Posted: Sun Apr 12, 2009 2:26 pm
by faris
modom46 wrote:
I read this at the clamav site so was concerned about it. It also said being OUTDATED had to do with the scanner. A scanner update was not in the 0.95 update the other day.
What does WARNING: Current functionality level = 1, required = 2 mean?
The functionality level of the database determines which scanner engine version is required to use all of its signatures. If you don’t upgrade immediately you will be missing the latest viruses.
You really don't need to worry about this.
I'm sure Scott will come along and give the deep details, but basically there's no real issue.
Faris.
Re: lot more spam
Posted: Tue Apr 14, 2009 11:34 am
by modom46
Thanks Scott for the updated clamav! No errors or warnings running freshclam.
Re: lot more spam
Posted: Thu Apr 16, 2009 1:56 pm
by modom46
There is a lot more server load that I've been seeing even after the update. I keep seeing a lot of these in the maillog:
prefork: child states: IBII
Apr 16 12:45:21 godslove spamd[2648]: spamd: handled cleanup of child pid 1099 due to SIGCHLD
Apr 16 12:45:21 godslove spamd[2648]: prefork: child states: IBI
I had changed the qmail-scanner.ini file to 10 instead of 5. Should I increase this to 20?
SA_SETTINGS="-d -c -m10 -H"
clamd had stopped and the load went down but after restarting and running the qmail-scanner-configure the load is back up.
Re: lot more spam
Posted: Thu Apr 16, 2009 5:42 pm
by faris
I think you need to increase the dnsrbls you use to reduce the amount of spam coming into your machine. Looks like it is just being overloaded.
How much memory do you have?
Re: lot more spam
Posted: Thu Apr 16, 2009 6:17 pm
by modom46
I have centos 5.3, P4 3.2 with 2GB so plenty of ram.
How do I increase the dnsrbls?
I have atomic spamassassin, dcc, pyzor, razor, clamd, sanesecurity. The clamd.conf file is the default except for having the user as qscand. When clamd died earlier the load went way down but now is up again.
Re: lot more spam
Posted: Fri Apr 17, 2009 7:04 am
by scott
I use zen.spamhaus.org, you might also want to look into greylisting with either qgreylist or spamdyke