Hi, OK, so I've had a fun (yeah right) week dealing with three mail hubs that are normally quite happy, and suddenly on Monday/Tuesday their load average goes up to 10+ for no apparent reason. Sometimes it looks like it is ClamAV that's the problem, sometimes exim, and sometimes SA. Argh!
http://www.le.ac.uk/cc/mcn4/sa-re-whoops/ Finally, this morning, after a lot of log searching and trying to trace SA children that have frozen and are eating CPU, I find a single message that triggers the problem. It's just over 100k long, and 99% of it is line feeds. Turns out that my lax use of \s* in four rules really didn't like this new type of message that's been arriving. Because it crashed SA, it never got logged in the exim logs, so incoming mail and spam detected looked "normal"! Everything was fine with these rules until this strange message triggered them. I guess that "*" _really_ isn't good to use (as people have said before), and that if you do use them they will come back to get you later! Removed the rules and all is happy again. I can finally rest for the weekend! Yup, I've learnt my lesson now ;-). Matthew -- Matthew Newton <[EMAIL PROTECTED]> UNIX and e-mail Systems Administrator, Network Support Section, Computer Centre, University of Leicester, Leicester LE1 7RH, United Kingdom