Spam filtering problem with Exim & SA

modem

Verified User
Joined
Apr 7, 2004
Messages
364
Hello all,

A client informed me this morning she was getting more than usual amounts of spam and asked if I could check into it. I myself did indeed notice an increase in spam. When I checked the properties of the spam to see what their SA rating was, oddly enough SpamAssassin wasn't even checking them.

I SSH'd into my server to check and SA was indeed running. My next thought was to check my mail exim queue, and when I looked at that, I was astounded to see 40+ pages of frozen emails 99% spam going back a week. I spent time cleaning all of that, restarted exim and spam assassin and instantly saw the deluge of spam coming back.

At the moment email properties are showing SA checking them, but giving low ratings like 1.9 and such to obvious spams. I noticed my SSH terminal also showed:

root 13290 0.1 0.2 6572 2284 ? S 14:24 0:00 /usr/sbin/exim -Mc 1Jwi8C-0003SL-UD
root 13302 0.1 0.2 6592 2276 ? S 14:24 0:00 /usr/sbin/exim -Mc 1Jwi86-0003RW-6f
root 13312 0.1 0.2 6580 2284 ? S 14:24 0:00 /usr/sbin/exim -Mc 1Jwi8G-0003SV-Hw
root 13318 0.1 0.2 6572 2280 ? S 14:24 0:00 /usr/sbin/exim -Mc 1Jwi8G-0003SW-RX
root 13324 0.0 0.2 6580 2276 ? S 14:24 0:00 /usr/sbin/exim -Mc 1Jwi8H-0003Se-Aq
root 13337 0.1 0.3 6972 3348 ? S 14:24 0:00 /usr/sbin/exim -Mc 1Jwi8L-0003T6-03
root 13345 0.2 0.2 6568 2288 ? S 14:24 0:00 /usr/sbin/exim -Mc 1Jwi8O-0003TA-By
root 13385 0.2 0.2 6584 2288 ? S 14:25 0:00 /usr/sbin/exim -Mc 1Jwi8T-0003Th-UB

Is there anything to be worried about, or is this just a spam attack happening??

Brad
 
I did some more checking and after the earlier problem, SpamAssassin (3.2.4) had appearantly quit working again as email properties showed no SA scanning/point rating. Doing a PS UX command shows the following:

root 4860 0.0 1.2 34740 12988 ? S May15 0:07 /usr/bin/spamd -d -c -m 5
root 14010 0.0 0.8 28048 8208 ? S 00:13 0:00 /usr/sbin/httpd -k start -DSSL
root 14018 0.0 0.6 24048 6212 ? S 00:13 0:00 /usr/sbin/httpd -k start -DSSL
root 21419 0.0 0.2 6572 2292 ? S 01:08 0:00 /usr/sbin/exim -Mc 1JwsBL-0005Z1-SO
root 21476 0.0 0.2 6576 2280 ? S 01:09 0:00 /usr/sbin/exim -Mc 1JwsBp-0005aG-He
root 21482 0.0 0.2 6572 2288 ? S 01:09 0:00 /usr/sbin/exim -Mc 1JwsBs-0005aM-Bg
root 21488 0.0 0.2 6576 2288 ? S 01:09 0:00 /usr/sbin/exim -Mc 1JwsBs-0005aN-IJ
root 21510 0.0 0.2 6584 2288 ? S 01:09 0:00 /usr/sbin/exim -Mc 1JwsC1-0005an-Kt
root 21532 0.0 0.2 6572 2276 ? S 01:09 0:00 /usr/sbin/exim -Mc 1JwsBw-0005ag-IS
root 21538 0.0 0.2 6580 2284 ? S 01:09 0:00 /usr/sbin/exim -Mc 1JwsCE-0005bC-8x
root 21554 0.0 0.2 6576 2276 ? S 01:09 0:00 /usr/sbin/exim -Mc 1JwsCX-0005bZ-41
root 21565 0.0 0.2 6584 2288 ? S 01:09 0:00 /usr/sbin/exim -Mc 1JwsCa-0005bd-Oe
root 21576 0.0 0.2 6572 2280 ? S 01:10 0:00 /usr/sbin/exim -Mc 1JwsCe-0005bx-DQ
root 21601 0.0 0.2 6580 2284 ? S 01:10 0:00 /usr/sbin/exim -Mc 1JwsCj-0005cM-5W
root 21618 0.0 0.2 6592 2280 ? S 01:10 0:00 /usr/sbin/exim -Mc 1JwsCu-0005cX-02
root 21656 0.0 0.2 6580 2272 ? S 01:10 0:00 /usr/sbin/exim -Mc 1JwsD6-0005d8-Kb
root 21663 0.0 0.2 6576 2280 ? S 01:10 0:00 /usr/sbin/exim -Mc 1JwsD6-0005dG-2N
root 21679 0.2 0.3 6964 3344 ? S 01:10 0:00 /usr/sbin/exim -Mc 1JwsDR-0005de-R8
root 21688 0.2 0.2 6576 2284 ? S 01:11 0:00 /usr/sbin/exim -Mc 1JwsDc-0005dj-6u


I am concerned as in my Exim mail queue I have LOADS of spam there upto 30 pages worth that is frozen for like 10 hours at a time. Previously I never had that issue with spam getting frozen. I tried recompiling SA down to 3.2.3 and downgrading Exim from 4.69 to 4.68, however now I have errors when compiling the src.rpm of exim. I receive the following error:

[root@stargatesg1 i386]# rpm -Uvh da_exim-4.68-1.i386.rpm
error: Failed dependencies:
libcrypto.so.0.9.8 is needed by da_exim-4.68-1
libssl.so.0.9.8 is needed by da_exim-4.68-1
[root@stargatesg1 i386]#

I did a check and I DO have both lib files in the following locations:

[root@stargatesg1 root]# locate libssl.so
/usr/lib/libssl.so
/usr/lib/libssl.so.0.9.8
/usr/local/directadmin/customapache/apache_1.3.34/src/modules/ssl/libssl.so
/usr/src/openssl-0.9.8d/libssl.so
/usr/src/openssl-0.9.8d/libssl.so.0.9.8
/lib/libssl.so.4
/lib/libssl.so.0.9.8
/lib/libssl.so.0.9.7a
[root@stargatesg1 root]# locate libcrypto.so
/usr/lib/libcrypto.so
/usr/lib/libcrypto.so.0
/usr/lib/libcrypto.so.0.9.8
/usr/src/openssl-0.9.8d/libcrypto.so
/usr/src/openssl-0.9.8d/libcrypto.so.0.9.8
/lib/libcrypto.so.4
/lib/libcrypto.so.0.9.7a


Can someone please tell me what is going on??

Brad
 
**** Problem solved ****

Spam assassin somehow placed the v310.pre, v312.pre, and v320.pre files back in the /etc/spamassassin directoryafter I had previously renamed them. SpamAssassin has a bug where having those two files enabled on my server (CentOS 3.3, Exim 4.69) causes 421 BSMTP errors. Removing them solves it.
 
Back
Top