Re: spamassassin - more children / faster scanning
Russ Sanders wrote: I have an Ubuntu Linux server running SpamAssassin Server version 3.2.4 running on Perl 5.8.8 with zlib support (Compress::Zlib 2.008). I have at least one account that is having to process from 250 - 400 emails, 99% spam, per HOUR. This works out to be approximately 8,000 emails per day. The spamassassin just can't keep up and it is backing the Queue upto 2500 messages. I have made an adjustment so that the one user can have multiple spamd children running for it, but it doesn't seem to take on more that 2 spamd children. Does the client try to use more than two connections (to spamd) ? I have also recorded that scanning a single message appears to take approximately 15 seconds. I have adjusted the timeout to 5 seconds, but it still appears to be taking 12 - 20 second per message. This works out to 4 per minute, or 240 per hour. So, of course, it can't keep up if it has 450 per hour coming at it. AFAIR, the timeout is whilst waiting for activity, not for the processing of an entire message. I'm guessing you're having DNS problems, or just very slow responses. If you run a message through spamassassin with -D, you'll be able to see. The system is a basic Linode running Ubuntu Linux 8.04 with 512M of memory. How many CPUs/cores? I would like to adjust appropriately Number of Max Children 5 is probably not unreasonable. Number of Spare Children Not of any great importance - 1-2. /Per Jessen, Zürich
Re: spamassassin - more children / faster scanning
On Mon, 2010-11-01 at 04:59 +, Russ Sanders wrote: I have an Ubuntu Linux server running SpamAssassin Server version 3.2.4 running on Perl 5.8.8 with zlib support (Compress::Zlib 2.008). I have at least one account that is having to process from 250 - 400 emails, 99% spam, per HOUR. This works out to be approximately 8,000 emails per day. The spamassassin just can't keep up and it is backing the Queue upto 2500 messages. I have made an adjustment so that the one user can have multiple spamd children running for it, but it doesn't seem to take on more that 2 spamd children. You might also consider implementing greylisting on your MTA. When my ISP did so the spam volume dropped immediately from 80% of the mail I was receiving to between 4% and 8%. I run my own copy of SA. The CPU overheads of greylisting are much lower than those of SA. Martin
Re: spamassassin - more children / faster scanning
On Mon, 1 Nov 2010, Russ Sanders wrote: The system is a basic Linode running Ubuntu Linux 8.04 with 512M of memory. Any way to add more RAM? Suggestions will be appreciated. You want to do things at SMTP time to reduce your email volume. Greylisting has been suggested; I see good results from it here. Rejecting messages that do not have a FDQN in the HELO string works well for me, too. I use milter-regex for this as well as for some other tests. Are you open to SMTP-time reject based on the Zen DNSBL? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Bother, said Pooh as he struggled with /etc/sendmail.cf, it never does quite what I want. I wish Christopher Robin was here. -- Peter da Silva in a.s.r --- 6 days until Daylight Saving Time ends in U.S. - Fall Back
Re: spamassassin - more children / faster scanning
On 11/1/2010 12:59 AM, Russ Sanders wrote: I have an Ubuntu Linux server running SpamAssassin Server version 3.2.4 running on Perl 5.8.8 with zlib support (Compress::Zlib 2.008). I have at least one account that is having to process from 250 - 400 emails, 99% spam, per HOUR. This works out to be approximately 8,000 emails per day. The spamassassin just can't keep up and it is backing the Queue upto 2500 messages. I have made an adjustment so that the one user can have multiple spamd children running for it, but it doesn't seem to take on more that 2 spamd children. I have also recorded that scanning a single message appears to take approximately 15 seconds. I have adjusted the timeout to 5 seconds, but it still appears to be taking 12 - 20 second per message. This works out to 4 per minute, or 240 per hour. So, of course, it can't keep up if it has 450 per hour coming at it. The system is a basic Linode running Ubuntu Linux 8.04 with 512M of memory. I would like to adjust appropriately Number of Max Children Number of Spare Children Number of spamd services per account (upto max children if possible) TimeOut on Scanning of the eMail Suggestions will be appreciated. Do you have any large 3rd party rulesets? If so, try removing them temporarily and see if it runs faster. Make sure you have a local caching DNS server to speed up blacklist queries. Check your memory usage. It sounds like you should have enough for 5 children, but it all depends on how much other stuff is running. If the system starts using swap, SA's performance takes a serious nosedive. If that is the case, either reduce the number of children or add memory. -- Bowie
Re: spamassassin - more children / faster scanning
On Mon, 1 Nov 2010, Russ Sanders wrote: I have an Ubuntu Linux server running SpamAssassin Server version 3.2.4 running on Perl 5.8.8 with zlib support (Compress::Zlib 2.008). I have at least one account that is having to process from 250 - 400 emails, 99% spam, per HOUR. This works out to be approximately 8,000 emails per day. The spamassassin just can't keep up and it is backing the Queue upto 2500 messages. I have made an adjustment so that the one user can have multiple spamd children running for it, but it doesn't seem to take on more that 2 spamd children. I have also recorded that scanning a single message appears to take approximately 15 seconds. I have adjusted the timeout to 5 seconds, but it still appears to be taking 12 - 20 second per message. This works out to 4 per minute, or 240 per hour. So, of course, it can't keep up if it has 450 per hour coming at it. You keep mentioning SA throughput statistics, but you do not mention at all how your server fares load-wise. If your CPU(s) is(are) at 100% or your system is swapping a lot then simply raising the number of SA processes will not really help. The system is a basic Linode running Ubuntu Linux 8.04 with 512M of memory. As already proposed, I'd definitely try to raise the system memory. What is your hardware setup? How does the load on this system look like? Does it have any other load apart from mail/SA? What about your network connection? A saturated Internet connection would also slow down blacklist queries a lot. Any other obvious bottlenecks, such as disk I/O to your mboxes ? Some details about your SA setup would also help. How is it attached to your mail system? Any non-default settings? Are you using Amavis? Any 3rd party/custom rulesets? What do your messages look like? If you are having SA scan a lot of 30MB messages you would definitely notice some performance issues. Are you using sa-compile to produce native code for the ruleset? As mentioned by other people you should also check your DNS system. Some braindead routers and ISPs impose a hard limit on DNS queries. Some BLs also limit the number of hits/hour for each IP unless you purchase a commercial service plan from them. Are you using a caching DNS server, as in http://wiki.apache.org/spamassassin/CachingNameserver? If you are not then the DNS queries themselves could slow processing down to a halt. I would like to adjust appropriately Number of Max Children Number of Spare Children Number of spamd services per account (upto max children if possible) TimeOut on Scanning of the eMail Suggestions will be appreciated. Thank You Russ Regards, Theodoros Kalamatianos
Re: spamassassin - more children / faster scanning
Theodoros V. Kalamatianos wrote: You keep mentioning SA throughput statistics, but you do not mention at all how your server fares load-wise. If your CPU(s) is(are) at 100% or your system is swapping a lot then simply raising the number of SA processes will not really help. The system is a basic Linode running Ubuntu Linux 8.04 with 512M of memory. As already proposed, I'd definitely try to raise the system memory. We have no data on the memory utilization on the OPs system, but two spamd instances in 512M leaves plenty of room. /Per Jessen, Zürich
Re: spamassassin - more children / faster scanning
I have had many helpful responses and I appreciate it. Some simple answers : The system is a Linode 512 which is a virtual server hosted on a larger system of which I don't have the true specifications. Howerver, it runs as a 4 CPU/Core system with 512M of memory. I am looking at adding more memory to the linode to test as an option. The system itself runs very well, with the - CPU Idle status at 98% + - Disk I/O Wait at less than 5% - Free Memory at 60M (or roughly 10%) - The swap is commonly minimal using at between 0M and 50M of disk swap We are not using any third party rulesets, but thank you for the suggestion. We have the system to scan only eMails less than 256K (512K for some), so large emails are not the problem as they are ignored. The rest of the settings are pretty much a default, native installation with default settings. The messages are basic text messages, commonly - standard spam messages. The system commonly runs 2 to 3 connections to spamd with a maximum of 5, but when the email load gets high, it only seems to give two connections to spamd for the 1 user that is receiving the highest amount of eMail (8,000 per day). The problem is that the eMail does not come in regularly, of course. The system keeps up during the day, but during the evening, the system gets hammered with 3,000 emails during a 1 to 2 hour period. It can only process scanning on about 250 per hour per account. I would like to be able to have this one particular user have max number of spamd connections. And, if possible and effective, increase the max number of children to 8 - 10. I read up on processing at SMTP time GreyListing and it sounds effective. I'll see about implementing some of those suggestions, including the Caching DNS Thank You for your advise. Russ
Re: spamassassin - more children / faster scanning
On 11/1/2010 2:26 PM, EACSI Support wrote: I read up on processing at SMTP time GreyListing and it sounds effective. If you are not already doing so, I would highly recommend using the zen.spamhaus.org blacklist at the SMTP level. It will block a large chunk of spam before SA even has to look at it. -- Bowie
Re: spamassassin - more children / faster scanning
On 01/11/10 13:17, John Hardin wrote: On Mon, 1 Nov 2010, Russ Sanders wrote: Suggestions will be appreciated. You want to do things at SMTP time to reduce your email volume. Greylisting has been suggested; I see good results from it here. Rejecting messages that do not have a FDQN in the HELO string works well for me, too. I use milter-regex for this as well as for some other tests. Are you open to SMTP-time reject based on the Zen DNSBL? Absolutely. The 3 measures outlined by John above will massively reduce the load (number of spam) that SpamAssassin (SA) gets to see. If you can tell us your MTA (postfix, sendmail, exim etc?) then I'm sure someone on the list will be able to point you in the right direction for implementing the above measures. With the above measures in place, I'd estimate my SA installation sees around 10 spam for every 1,000 spam sent - 990 get rejected at the smtp stage before SA.
Re: spamassassin - more children / faster scanning
That sound great! We are using PostFix Thank You Russ Ned Slider wrote: On 01/11/10 13:17, John Hardin wrote: On Mon, 1 Nov 2010, Russ Sanders wrote: Suggestions will be appreciated. You want to do things at SMTP time to reduce your email volume. Greylisting has been suggested; I see good results from it here. Rejecting messages that do not have a FDQN in the HELO string works well for me, too. I use milter-regex for this as well as for some other tests. Are you open to SMTP-time reject based on the Zen DNSBL? Absolutely. The 3 measures outlined by John above will massively reduce the load (number of spam) that SpamAssassin (SA) gets to see. If you can tell us your MTA (postfix, sendmail, exim etc?) then I'm sure someone on the list will be able to point you in the right direction for implementing the above measures. With the above measures in place, I'd estimate my SA installation sees around 10 spam for every 1,000 spam sent - 990 get rejected at the smtp stage before SA.
Re: spamassassin - more children / faster scanning
That sounds great! We are using PostFix ... Thanks Russ Ned Slider wrote: On 01/11/10 13:17, John Hardin wrote: On Mon, 1 Nov 2010, Russ Sanders wrote: Suggestions will be appreciated. You want to do things at SMTP time to reduce your email volume. Greylisting has been suggested; I see good results from it here. Rejecting messages that do not have a FDQN in the HELO string works well for me, too. I use milter-regex for this as well as for some other tests. Are you open to SMTP-time reject based on the Zen DNSBL? Absolutely. The 3 measures outlined by John above will massively reduce the load (number of spam) that SpamAssassin (SA) gets to see. If you can tell us your MTA (postfix, sendmail, exim etc?) then I'm sure someone on the list will be able to point you in the right direction for implementing the above measures. With the above measures in place, I'd estimate my SA installation sees around 10 spam for every 1,000 spam sent - 990 get rejected at the smtp stage before SA. -- -- Russ Sanders (r...@eacsi.com) Electronic And Computer Solutions, Inc 8120 E 12th Street, Unit A Tulsa, OK 74112 (918)286-2816 Fax:(918)834-9391 http://www.eacsi.com
Re: spamassassin - more children / faster scanning
On 01/11/10 19:12, EACSI Support wrote: That sound great! We are using PostFix Thank You Russ Ah, great. Here's a couple guides I wrote for greylisting and postfix restrictions. They are based on CentOS, but the principles are no different for Ubuntu. http://wiki.centos.org/HowTos/postfix_restrictions http://wiki.centos.org/HowTos/postgrey They should give you a good starting point from which to build. Hope that helps.
Re: spamassassin - more children / faster scanning
On 11/1/2010 3:10 PM, Ned Slider wrote: On 01/11/10 13:17, John Hardin wrote: On Mon, 1 Nov 2010, Russ Sanders wrote: Suggestions will be appreciated. You want to do things at SMTP time to reduce your email volume. Greylisting has been suggested; I see good results from it here. Rejecting messages that do not have a FDQN in the HELO string works well for me, too. I use milter-regex for this as well as for some other tests. Are you open to SMTP-time reject based on the Zen DNSBL? Absolutely. The 3 measures outlined by John above will massively reduce the load (number of spam) that SpamAssassin (SA) gets to see. If you can tell us your MTA (postfix, sendmail, exim etc?) then I'm sure someone on the list will be able to point you in the right direction for implementing the above measures. With the above measures in place, I'd estimate my SA installation sees around 10 spam for every 1,000 spam sent - 990 get rejected at the smtp stage before SA. On my system, Spamhaus alone blocks over 90% of the incoming spam. -- Bowie
Re: spamassassin - more children / faster scanning
Great! -- thank you! I appreciate all advice ... and will start reading Thanks Russ Ned Slider wrote: On 01/11/10 19:12, EACSI Support wrote: That sound great! We are using PostFix Thank You Russ Ah, great. Here's a couple guides I wrote for greylisting and postfix restrictions. They are based on CentOS, but the principles are no different for Ubuntu. http://wiki.centos.org/HowTos/postfix_restrictions http://wiki.centos.org/HowTos/postgrey They should give you a good starting point from which to build. Hope that helps. -- -- Electronic And Computer Solutions, Inc 8120 E 12th Street, Unit A Tulsa, OK 74112 (918)834-1837 Fax:(918)834-9391
