how do I disable a sub rule with __
I want to disable all dns queries to completewhois This is used in a sub rule __RCVD_IN_WHOIS Any other rule I disable with putting a score of 0.0 , Can I do the same for a rule with __ Thanks Ram
Re: spamd keeps running at 99% CPU until i kill the process
On 30 Aug 2007, at 16:55, Micke Andersson wrote: Richard Hobbs wrote: Hello, To add information to this problem, it appears that spamd does eventually give up after 5 minutes - which then bounces the message back to the sender stating: 421 SMTP incoming data timeout - message abandoned Obviously, this cannot keep happening, but i don't know how to stop it... Any advice greatly appreciated. Thanks again, Richard. Hi, I have had exactly the same problem as you, with about the very same setup as you! The problem where actually a TCP problem, and not a SpamAssassin problem! From a bunch of TCPDUMPs from my side and a good partner side, we did finaly track down the problem to TCP_WINDOW_SCALING, which is set to 1 (True) on Debian, which seems to give a problem to Exim. My solution for the problem was to set this parameter to 0 (false) Easiest done by echo 0 /proc/sys/net/ipv4/tcp_window_scaling And further on, this seems to be a problem mostly against old versions of Sendmail, when they where sending to us, and had some kind of attachment in the email as well! (I don't really know where the bug is, if it is in Exim or TCP, I found a solution and is pleased with that) Hope this helps you out, a bit of topic though! This may have fixed the problem by simply severely reducing the data transmission speed. With window scaling off your maximum window size is a mere 64K, hardly enough these days. I have had this problem since upgrading to the latest SA. But I had also at the same time taken the opportunity to add a load of spam and ham to bayes. It makes much more sense that spamd is trying to do a bayes expire and taking too long. sa-learn --force-expire took a good 4 minutes Setting auto expire off as suggested in this thread has fixed the problem for me. THEREFORE The actual problem must be that it is taking longer to do the bayes expire than spamd's timeout child setting each new spamd child tries to do a bayes expire but never has enough time to complete it. Other wise one would expect just a single spamd to go 99% not every spamd. Right? Perhaps the bayes auto expire code should be moved to the parent process to prevent this problem.
Re: how do I disable a sub rule with __
ram wrote: I want to disable all dns queries to completewhois This is used in a sub rule __RCVD_IN_WHOIS Any other rule I disable with putting a score of 0.0 , Can I do the same for a rule with __ yep.
Re: Bayesian filtering not kicking in, but it's trained.
RinkWorks wrote: There must be a way to have spamd run in a way that it looks at each individual user's .spamassassin directory instead of the mail daemon user. I'd think that would be a common thing. But I can't figure out how to set it up that way. Whether you can do that depends on how you're calling SA. If you really want per-user preferences, SA should be called as one of the last steps in your mail processing. It sounds like you've got SA called as an MTA content filter from Exim, rather than from procmail or maildrop (or whatever else you might be using) just before delivery. You **MAY** be able to modify your existing call to SA enough to do what you want, but content filtering in the MTA is prone to conflicts between what different recipients want done. My own per-user setups call SA from individual .procmailrc files, at which time there is only one recipient for the message, and it's clear who that recipient is. -kgd
Handling Spam Surges
Greetings, How do you handle Spam surges/DoS attacks? We just had a Spam surge/DoS and are looking at ways to better withstand (as best as we can) another surge Here is how we start SA: -c -d -r $PIDFILE -s /var/log/spamd --socketpath=$SOCKET --max-children=150 --min-children=10 Our (1) mail server is configured like this: CentOS 4.5 Exim 4.67 SpamAssassin version 3.2.3 running on Perl version 5.8.8 ClamAV 0.91.2 (saneSecurity updates) - handles incoming/outgoing mail - handles imap/pop/webmail request Intel D Cpu 3.00Ghz with 2GB of Mem 80GB SATA root disk 200GB SATA mail disk (softraid mirror) 2xIntel e1000 Our mail server was taking a pounding on Friday, Fri Sep 7 16:17:09 2007 [26914] info: prefork: child states: B Fri Sep 7 16:17:09 2007 [26914] info: prefork: child states: BB Fri Sep 7 16:17:09 2007 [26914] info: prefork: child states: BBB ..snip... ..snip... ..snip... Fri Sep 7 16:17:17 2007 [26914] info: prefork: child states: BBB Fri Sep 7 16:17:17 2007 [26914] info: prefork: child states: IBBB Fri Sep 7 16:17:19 2007 [26914] info: prefork: child states: BIBBIBBB ..snip.. ..snip.. Fri Sep 7 16:19:22 2007 [26914] info: prefork: child states: BBBSBBSBB Fri Sep 7 16:19:23 2007 [26914] info: prefork: child states: BBBIBBISBB At the mist of the surge we had 95 child processess running, all busy! Here are the sar memory stats... kbmemfree kbmemused %memused kbbuffers kbcached kbswpfree kbswpused %swpused kbswpcad 16:10:0216804 2056424 99.19 2900 1310880 2040036 208 0.01 0 16:20:1037676 2035552 98.18 1872237376 1736152 304092 14.90 78992 16:30:5113924 2059304 99.33 1292308944 1044160 996084 48.82357444 16:40:0276652 1996576 96.30 8208 1280796 1756236 284008 13.92178696 Average:26403 2046825 98.73 5880 1364057 2024199 16045 0.79 6152 Here are the warnings we saw in the spamd log... Fri Sep 7 16:20:39 2007 [26914] info: prefork: child states: IB Fri Sep 7 16:20:40 2007 [25431] warn: spf: lookup failed: Can't locate object method new via package Net::DNS::RR::TXT at /xsys/lib/perl5/site_perl/5.8.8/i686-linux/Net/ DNS/RR.pm line 312. Fri Sep 7 16:20:41 2007 [25428] warn: spf: lookup failed: Can't locate object method new via package Net::DNS::RR::TXT at /xsys/lib/perl5/site_perl/5.8.8/i686-linux/Net/ DNS/RR.pm line 312. Fri Sep 7 16:22:18 2007 [24684] warn: plugin: eval failed: child processing timeout at /xsys/sbin//spamd line 1246, GEN683 line 3398. Fri Sep 7 16:22:20 2007 [24711] warn: Use of uninitialized value in pattern match (m//) at /xsys/lib/perl5/5.8.8/utf8_heavy.pl line 211, GEN749 line 3398. Fri Sep 7 16:22:20 2007 [24711] warn: Use of uninitialized value in scalar assignment at /xsys/lib/perl5/5.8.8/utf8_heavy.pl line 227, GEN749 line 3398. Fri Sep 7 16:26:15 2007 [25227] info: spamd: clean message (1.5/5.0) for cs242027:9190 in 406.1 seconds, 243776 bytes. Fri Sep 7 16:26:19 2007 [24688] warn: spamd: copy_config timeout, respawning child process after 1 messages at /xsys/sbin//spamd line 1103. Fri Sep 7 16:26:24 2007 [25046] warn: spamd: copy_config timeout, respawning child process after 1 messages at /xsys/sbin//spamd line 1103. Fri Sep 7 16:26:28 2007 [24692] warn: spamd: copy_config timeout, respawning child process after 1 messages at /xsys/sbin//spamd line 1103. Fri Sep 7 16:30:35 2007 [26914] info: spamd: server successfully spawned child process, pid 26312 Fri Sep 7 16:30:37 2007 [24685] warn: spamd: copy_config timeout, respawning child process after 1 messages at /xsys/sbin//spamd line 1103. Fri Sep 7 16:30:39 2007 [26914] warn: prefork: cannot ping 24702, file handle not defined, child likely to still be processing SIGCHLD handler after killing itself Fri Sep 7 16:30:39 2007 [26914] warn: prefork: killing failed child 24702 fd=undefined at /xsys/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/SpamdForkScaling.pm line 171. Fri Sep 7 16:30:39 2007 [26914] warn: prefork: killed child 24702 Fri Sep 7 16:30:41 2007 [26914] info: spamd: handled cleanup of child pid 24702 due to SIGCHLD Fri Sep 7 16:30:41 2007 [26914] warn: prefork: cannot ping 24687, file handle not defined, child likely to still be processing SIGCHLD handler after killing itself Fri Sep 7 16:30:41 2007 [26914] warn: prefork: killing failed child 24687 fd=undefined at
List of 600,000 IP addresses of virus infected computers
I've developed an extremely accurate of detecting virus infected spam zombies. I think it's 100% accurate can catches them on the first try. Here is 600,000 IP addresses I've detected in the last 3 days. Enjoy http://iplist.junkemailfilter.com/virus.txt
Re: List of 600,000 IP addresses of virus infected computers
On Mon, 10 Sep 2007 at 10:26 -0700, [EMAIL PROTECTED] confabulated: I've developed an extremely accurate of detecting virus infected spam zombies. I think it's 100% accurate can catches them on the first try. Here You think it's 100% accurate? What about the systems that have been cleaned up? is 600,000 IP addresses I've detected in the last 3 days. Enjoy http://iplist.junkemailfilter.com/virus.txt -- _|_ (_| |
Re: List of 600,000 IP addresses of virus infected computers
Duane Hill wrote: On Mon, 10 Sep 2007 at 10:26 -0700, [EMAIL PROTECTED] confabulated: I've developed an extremely accurate of detecting virus infected spam zombies. I think it's 100% accurate can catches them on the first try. Here You think it's 100% accurate? What about the systems that have been cleaned up? The data lives for 3 days. If someone is on a dynamic IP then it could also be wrong. It's a list of IP addresses that were infected at the time the virus tried to spam me. With a list like this if ISPs were to download it and send out notices to their customers they could clean up a lot of viruses.
Re: List of 600,000 IP addresses of virus infected computers
The users lists is not really an appropriate place to advertise your spam/virus filtering business. Please do not feed the trolls. Thanks Michael
Re: List of 600,000 IP addresses of virus infected computers
Marc Perkel wrote: Duane Hill wrote: On Mon, 10 Sep 2007 at 10:26 -0700, [EMAIL PROTECTED] confabulated: I've developed an extremely accurate of detecting virus infected spam zombies. I think it's 100% accurate can catches them on the first try. Here You think it's 100% accurate? What about the systems that have been cleaned up? The data lives for 3 days. If someone is on a dynamic IP then it could also be wrong. It's a list of IP addresses that were infected at the time the virus tried to spam me. With a list like this if ISPs were to download it and send out notices to their customers they could clean up a lot of viruses. We'd need a time stamp of when it happened. All of our IP's in the list (5 or 6) belong to DSL or dialup clients. I have no idea which users they are since I don't know when your system detected them. Regards, Rick
Re: Handling Spam Surges
On 9/10/07, Paul Griffith [EMAIL PROTECTED] wrote: Greetings, How do you handle Spam surges/DoS attacks? We just had a Spam surge/DoS and are looking at ways to better withstand (as best as we can) another surge Here is how we start SA: -c -d -r $PIDFILE -s /var/log/spamd --socketpath=$SOCKET --max-children=150 --min-children=10 Our (1) mail server is configured like this: CentOS 4.5 Exim 4.67 SpamAssassin version 3.2.3 running on Perl version 5.8.8 ClamAV 0.91.2 (saneSecurity updates) - handles incoming/outgoing mail - handles imap/pop/webmail request Intel D Cpu 3.00Ghz with 2GB of Mem 80GB SATA root disk 200GB SATA mail disk (softraid mirror) 2xIntel e1000 Our mail server was taking a pounding on Friday, Fri Sep 7 16:17:09 2007 [26914] info: prefork: child states: B Fri Sep 7 16:17:09 2007 [26914] info: prefork: child states: BB Fri Sep 7 16:17:09 2007 [26914] info: prefork: child states: BBB ..snip... ..snip... ..snip... Fri Sep 7 16:17:17 2007 [26914] info: prefork: child states: BBB Fri Sep 7 16:17:17 2007 [26914] info: prefork: child states: IBBB Fri Sep 7 16:17:19 2007 [26914] info: prefork: child states: BIBBIBBB ..snip.. ..snip.. Fri Sep 7 16:19:22 2007 [26914] info: prefork: child states: BBBSBBSBB Fri Sep 7 16:19:23 2007 [26914] info: prefork: child states: BBBIBBISBB At the mist of the surge we had 95 child processess running, all busy! Here are the sar memory stats... kbmemfree kbmemused %memused kbbuffers kbcached kbswpfree kbswpused %swpused kbswpcad 16:10:0216804 2056424 99.19 2900 1310880 2040036 208 0.01 0 16:20:1037676 2035552 98.18 1872237376 1736152 304092 14.90 78992 16:30:5113924 2059304 99.33 1292308944 1044160 996084 48.82357444 16:40:0276652 1996576 96.30 8208 1280796 1756236 284008 13.92178696 Average:26403 2046825 98.73 5880 1364057 2024199 16045 0.79 6152 Here are the warnings we saw in the spamd log... Fri Sep 7 16:20:39 2007 [26914] info: prefork: child states: IB Fri Sep 7 16:20:40 2007 [25431] warn: spf: lookup failed: Can't locate object method new via package Net::DNS::RR::TXT at /xsys/lib/perl5/site_perl/5.8.8/i686-linux/Net/ DNS/RR.pm line 312. Fri Sep 7 16:20:41 2007 [25428] warn: spf: lookup failed: Can't locate object method new via package Net::DNS::RR::TXT at /xsys/lib/perl5/site_perl/5.8.8/i686-linux/Net/ DNS/RR.pm line 312. Fri Sep 7 16:22:18 2007 [24684] warn: plugin: eval failed: child processing timeout at /xsys/sbin//spamd line 1246, GEN683 line 3398. Fri Sep 7 16:22:20 2007 [24711] warn: Use of uninitialized value in pattern match (m//) at /xsys/lib/perl5/5.8.8/utf8_heavy.pl line 211, GEN749 line 3398. Fri Sep 7 16:22:20 2007 [24711] warn: Use of uninitialized value in scalar assignment at /xsys/lib/perl5/5.8.8/utf8_heavy.pl line 227, GEN749 line 3398. Fri Sep 7 16:26:15 2007 [25227] info: spamd: clean message (1.5/5.0) for cs242027:9190 in 406.1 seconds, 243776 bytes. Fri Sep 7 16:26:19 2007 [24688] warn: spamd: copy_config timeout, respawning child process after 1 messages at /xsys/sbin//spamd line 1103. Fri Sep 7 16:26:24 2007 [25046] warn: spamd: copy_config timeout, respawning child process after 1 messages at /xsys/sbin//spamd line 1103. Fri Sep 7 16:26:28 2007 [24692] warn: spamd: copy_config timeout, respawning child process after 1 messages at /xsys/sbin//spamd line 1103. Fri Sep 7 16:30:35 2007 [26914] info: spamd: server successfully spawned child process, pid 26312 Fri Sep 7 16:30:37 2007 [24685] warn: spamd: copy_config timeout, respawning child process after 1 messages at /xsys/sbin//spamd line 1103. Fri Sep 7 16:30:39 2007 [26914] warn: prefork: cannot ping 24702, file handle not defined, child likely to still be processing SIGCHLD handler after killing itself Fri Sep 7 16:30:39 2007 [26914] warn: prefork: killing failed child 24702 fd=undefined at /xsys/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/SpamdForkScaling.pm line 171. Fri Sep 7 16:30:39 2007 [26914] warn: prefork: killed child 24702 Fri Sep 7 16:30:41 2007 [26914] info: spamd: handled cleanup of child pid 24702 due to SIGCHLD Fri Sep 7 16:30:41 2007 [26914] warn: prefork: cannot ping 24687, file handle not defined, child likely to still be processing SIGCHLD handler after killing itself Fri Sep 7 16:30:41 2007 [26914] warn: prefork: killing failed child 24687 fd=undefined at