Finally i found message caused high load. It looks like one message sent all the time from ticket system. Message size is ~4M. We scan messages with this size in amavis.
Content of message is complex and has multiple items Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Type: application/pdf Results from debug, with % > 1: dbg: rules: timing: Total time: 131.6748 s dbg: rules: [...] rulename ovl(s) max(s) #run %tot dbg: rules: [...] __FILL_THIS_FORM_LONG2 26.3811 26.3811 1 20.04% dbg: rules: [...] __FILL_THIS_FORM_SHORT2 26.3050 26.3050 1 19.98% dbg: rules: [...] __FILL_THIS_FORM_FRAUD_PHISH1 10.0878 10.0878 1 7.66% dbg: rules: [...] __FILL_THIS_FORM_LOAN1 7.2766 7.2766 1 5.53% dbg: rules: [...] __FILL_THIS_FORM_SHORT1 2.3360 2.3360 1 1.77% dbg: rules: [...] __FILL_THIS_FORM_LONG1 2.3051 2.3051 1 1.75% 1.8 FUZZY_XPILL BODY: Attempt to obfuscate words in spam 0.0 FUZZY_CPILL BODY: Attempt to obfuscate words in spam 0.5 FUZZY_VPILL BODY: Attempt to obfuscate words in spam 0.8 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 LOTS_OF_MONEY Huge... sums of money Thanks all for the help! 2014-04-24 1:39 GMT+03:00 John Hardin <jhar...@impsec.org>: > On Wed, 23 Apr 2014, Nick I wrote: > > Another interesting thing. Today when daily cron executed at 5 am load >> calmed to ~0. As it was before. Sa-update executed at that time. >> Amavisd has been reloaded at 7 am and load raised back again. >> Also i see that some messages checked 150329 ms, 158742 ms. But most >> messages checked ~400ms. >> >> I used @debug_recipient_maps and sa_debug but did not see any userful >> info. >> Can anyone suggest how to look inside tests_pri_0 ? >> > > The first thing you need to do is capture one of the messages that took a > very long time to scan, so that it can be tested in a controlled > environment. There are tools that will allow you to capture timing data for > every rule, and if the message is a spam you could provide it to us for > analysis. > > -- > John Hardin KA7OHZ http://www.impsec.org/~jhardin/ > jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > ----------------------------------------------------------------------- > Today: Max Planck's 156th birthday >