Mailscanner and SpamAssasin and spam overload

Discuss our MailScanner install script and MailScanner itself
Post Reply
xmanflash
Junior Member
Posts: 30
Joined: 10 Mar 2009, 09:42

Mailscanner and SpamAssasin and spam overload

Post by xmanflash »

Seeing this in my Daily Process Log in WHM

Top Process %CPU 94.4 MailScanner: checking with SpamAssassin
Top Process %CPU 86.0 MailScanner: checking with SpamAssassin
Top Process %CPU 78.0 MailScanner: checking with SpamAssassin

We were acting as backup MX for some folks with windows mail servers - they are dropping the email connections when they get spam - which means my MX backups are having to deal with it all...

..Which means my websites go v e r y s l o w l y for 10 minutes.

I have 2 questions.

1.Can I get Exim to drop the spam the way they do, before it overloads my server?
2. As I am not using SpamAssassin (my server was fitted out by Chirpy) why do I get the lines listed above?

Thanks,
Pete
xmanflash
Junior Member
Posts: 30
Joined: 10 Mar 2009, 09:42

More info on this issue..

Post by xmanflash »

In looking through logs etc today with my tech support guy, we noticed a few things..

1. The overload issues have only been happening for a couple of weeks.

2. A couple of weeks ago I turned on the setting "SpamAssassinTM: Reject mail with a spam score greater than 10 at SMTP time." in Exim settings.

I did this even though SA is not running (in WHM plugins and tweak settings) as I thought my setup would still reject email at SMTP - I had read somewhere in a forum post here that the settings SA settings will still be used by Exim/Mailscanner - (which could be quite wrong!)

This is all glued together by the fact that everytime I have the CPU/IO overload, processes grow quickly from 50 to over 800 but restarting MySQL fixes it. Also in the EXIM log, for the duration of the slowdown I get lots of the following message:
---------------
2010-04-23 14:05:34 cwd=/etc/csf 4 args: /usr/sbin/sendmail -f root -t
2010-04-23 14:05:35 no host name found for IP address 79.135.218.9
2010-04-23 14:05:41 Failed to get write lock for /var/spool/exim_incoming/db/ratelimit.lockfile: timed out
2010-04-23 14:05:41 H=[79.135.218.9] temporarily rejected connection in "connect" ACL: ratelimit database not available
2010-04-23 14:05:46 Failed to get write lock for /var/spool/exim_incoming/db/ratelimit.lockfile: timed out
2010-04-23 14:05:46 H=[59.92.110.253] temporarily rejected connection in "connect" ACL: ratelimit database not available
2010-04-23 14:05:48 no host name found for IP address 210.106.165.140
------------------

I don't know if this is the cause or a result of the problem.

If anyone can shed light or clues on any of this for me - or how it actually should hang together pls do so.. I will report back when I find anything new.. This is a problem that in googling, many people seem to have had and never fixed.. (most are told to delete the exim_incoming/db/ files and force upcp but it rarely works)

Cheers
Pete
Sarah
Moderator
Posts: 921
Joined: 09 Dec 2006, 22:49

Post by Sarah »

1. If you are running MailScanner, enabling any of the SpamAssassin settings in the WHM Exim Configuration Editor will have no effect or will have a detrimental effect, so you should disable all of those.

2. You should be using the RBLs in the Exim Configuration Editor as that will help with preventing spam getting to MailScanner in the first place.

3. If you're having problems with the exim retry or ratelimit databases, check the following:

* make sure that /var/spool/exim_incoming and /var/spool/exim_incoming/db are both owned by mailnull:mail with permissions of 750.
* make sure the contents of /var/spool/exim_incoming/db are owned by mailnull:mail with permissions of 640
* you can try deleting the retry/ratelimit databases by deleting the contents of /var/spool/exim_incoming/db/

Regards,
Sarah
xmanflash
Junior Member
Posts: 30
Joined: 10 Mar 2009, 09:42

Re: Mailscanner and SpamAssasin and spam overload

Post by xmanflash »

Just to let everyone know, it looks like the slowdown problem was related to memory, and therefore I exclude any of my previous thoughts as to why this was happening re exim etc..

The interesting thing is that my server was reporting 1.6G of Ram free (from 2G) when in actual fact the VPS (Virtuozzo) Management software had a 'memory leak', and was using over 1G of ram for itself..

Which meant when my web server got to about 1G in memory under heavy load, it started swapping to disk and everything just took a dive from there.. (even with SAS drives!)

A restart of the Virtuozzo management session fixed it - it seems to take about 7 months to get that way..

I own the whole box, and and am just running virtuozzo with one WHM user for ease of migration to new hardware.

Hope that helps,
Pete
Post Reply