Handling Spam Surges

Mon, 10 Sep 2007 09:48:52 -0700 

Greetings,
How do you handle Spam surges/DoS attacks? We just had a Spam surge/DoS and are looking at ways to better withstand (as best as we can) another surge 


Here is how we start SA:


-c -d -r $PIDFILE -s /var/log/spamd --socketpath=$SOCKET  
--max-children=150 --min-children=10


Our (1) mail server is configured like this:

CentOS 4.5
Exim 4.67
SpamAssassin version 3.2.3 running on Perl version 5.8.8
ClamAV 0.91.2 (saneSecurity updates)
- handles incoming/outgoing mail
- handles imap/pop/webmail request

Intel D Cpu 3.00Ghz with 2GB of Mem
80GB SATA root disk
200GB SATA mail disk (softraid mirror)
2xIntel e1000

Our mail server was taking a pounding on Friday,

Fri Sep  7 16:17:09 2007 [26914] info: prefork: child states: BBBBB
Fri Sep  7 16:17:09 2007 [26914] info: prefork: child states: BBBBBB
Fri Sep  7 16:17:09 2007 [26914] info: prefork: child states: BBBBBBB
..snip...
..snip...
..snip...

Fri Sep  7 16:17:17 2007 [26914] info: prefork: child states:  
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
Fri Sep  7 16:17:17 2007 [26914] info: prefork: child states:  
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBIBBB
Fri Sep  7 16:17:19 2007 [26914] info: prefork: child states:  
BBBBBBBBBBBBBBBBBBBBBBBBBIBBBBBBBBBBBBBBBBBBBBBBIBBB

..snip..
..snip..

Fri Sep  7 16:19:22 2007 [26914] info: prefork: child states:  
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBSBBSBB
Fri Sep  7 16:19:23 2007 [26914] info: prefork: child states:  
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBIBBISBB


At the mist of the surge we had 95 child processess running, all busy!

Here are the sar memory stats...


              kbmemfree kbmemused  %memused kbbuffers  kbcached kbswpfree  
kbswpused  %swpused  kbswpcad
16:10:02        16804   2056424     99.19      2900   1310880    
2040036       208      0.01         0
16:20:10        37676   2035552     98.18      1872    237376   1736152     
304092     14.90     78992
16:30:51        13924   2059304     99.33      1292    308944   1044160     
996084     48.82    357444
16:40:02        76652   1996576     96.30      8208   1280796   1756236     
284008     13.92    178696
Average:        26403   2046825     98.73      5880   1364057    
2024199     16045      0.79      6152



Here are the warnings we saw in the spamd log...


Fri Sep  7 16:20:39 2007 [26914] info: prefork: child states:  
IBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
Fri Sep  7 16:20:40 2007 [25431] warn: spf: lookup failed: Can't locate  
object method "new" via package "Net::DNS::RR::TXT" at  
/xsys/lib/perl5/site_perl/5.8.8/i686-linux/Net/

DNS/RR.pm line 312.

Fri Sep  7 16:20:41 2007 [25428] warn: spf: lookup failed: Can't locate  
object method "new" via package "Net::DNS::RR::TXT" at  
/xsys/lib/perl5/site_perl/5.8.8/i686-linux/Net/

DNS/RR.pm line 312.


Fri Sep  7 16:22:18 2007 [24684] warn: plugin: eval failed: child  
processing timeout at /xsys/sbin//spamd line 1246, <GEN683> line 3398.
Fri Sep  7 16:22:20 2007 [24711] warn: Use of uninitialized value in  
pattern match (m//) at /xsys/lib/perl5/5.8.8/utf8_heavy.pl line 211,  
<GEN749> line 3398.
Fri Sep  7 16:22:20 2007 [24711] warn: Use of uninitialized value in  
scalar assignment at /xsys/lib/perl5/5.8.8/utf8_heavy.pl line 227,  
<GEN749> line 3398.



Fri Sep  7 16:26:15 2007 [25227] info: spamd: clean message (1.5/5.0) for  
cs242027:9190 in 406.1 seconds, 243776 bytes.
Fri Sep  7 16:26:19 2007 [24688] warn: spamd: copy_config timeout,  
respawning child process after 1 messages at /xsys/sbin//spamd line 1103.
Fri Sep  7 16:26:24 2007 [25046] warn: spamd: copy_config timeout,  
respawning child process after 1 messages at /xsys/sbin//spamd line 1103.
Fri Sep  7 16:26:28 2007 [24692] warn: spamd: copy_config timeout,  
respawning child process after 1 messages at /xsys/sbin//spamd line 1103.



Fri Sep  7 16:30:35 2007 [26914] info: spamd: server successfully spawned  
child process, pid 26312
Fri Sep  7 16:30:37 2007 [24685] warn: spamd: copy_config timeout,  
respawning child process after 1 messages at /xsys/sbin//spamd line 1103.
Fri Sep  7 16:30:39 2007 [26914] warn: prefork: cannot ping 24702, file  
handle not defined, child likely to still be processing SIGCHLD handler  
after killing itself
Fri Sep  7 16:30:39 2007 [26914] warn: prefork: killing failed child 24702  
fd=undefined at  
/xsys/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/SpamdForkScaling.pm line  
171.

Fri Sep  7 16:30:39 2007 [26914] warn: prefork: killed child 24702

Fri Sep  7 16:30:41 2007 [26914] info: spamd: handled cleanup of child pid  
24702 due to SIGCHLD
Fri Sep  7 16:30:41 2007 [26914] warn: prefork: cannot ping 24687, file  
handle not defined, child likely to still be processing SIGCHLD handler  
after killing itself
Fri Sep  7 16:30:41 2007 [26914] warn: prefork: killing failed child 24687  
fd=undefined at  
/xsys/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/SpamdForkScaling.pm line  
171.

Fri Sep  7 16:30:41 2007 [26914] warn: prefork: killed child 24687



Looking at the swap usage, I was thinking I would be better if I reduced  
the number of children processes and let thing queue up. I know I will  
also have to look at exim and it's ratelimit command. Any other idea's on  
handling spam surges/DoS?


Thanks
Paul






















					Reply via email to