Spamd and Server Load

[nhouse]

Good Morning!
I have searched the forums to try and solve this and haven't really figured it out yet. I have also looked elsewhere, by the way and there seems to be variables on the subject based upon the versions of SA, etc. in use. So, PLEASE share your wisdom with me. I will try to be as complete with my info as possible so you can advise me correctly... thanks!!!

The problem: it seems that during the heaviest email usage period for the server (mid-day for me) the server load goes WAY up and it appears to me that Exim has a lot of activity amd Spamd is as well. This may sound crazy but when I do a top command and compare, in the morning before the heavy use starts, the load is around 1.0 and maybe 2.3 on the high side... around mid morning I have seen it as high as 300.0 and at that point I freak out basically and reboot. I also can restart most of the main services about once an hour to keep it at a less critical level. I must admit that I am not a great system admin but I am working at it... and it seems that my machine "should" be able to handle the current client load. Here is my configuration:

* AMD Athlon(tm) XP 2200+ w/ 1g Ram (2g swap)
* CentOS 4.3
* Apache 1.3.34
* Exim 4.60
* Spamassassin 3.1.1 on Perl 5.8.5
* MySQL 4.1.11
* currently about 300 POP accounts and 93 forwarders
* 27 users
* Connection is BellSouth 3meg / 384k ADSL

* Exim entries:
message_size_limit = 25M
smtp_receive_timeout = 5m
smtp_accept_max = 250
message_body_visible = 3000
print_topbitchars = true

* Apache entries:
Timeout 300
KeepAlive On
MaxKeepAliveRequests 500
KeepAliveTimeout 5
MinSpareServers 8
MaxSpareServers 20
StartServers 8
MaxClients 450
MaxRequestsPerChild 1000

NOTE: I also have "HostnameLookups Off"

Ok... now specific questions that I have which you can advise me on:
1. Do you see any issues with my Exim or Apache entries?
2. Is there still an issue with "UTF-8 character sets" in conjunction with the LANG designation? Read about this HERE.
3. Are there any common issues related to the "exim.conf" file and SpamBlocker that I may be overlooking? I could ask it this way... will Exim work properly out of the box using the SpamBlocker modified conf file? NOTE: Jeff I certainly am not suggesting there is a problem with your work... just want to make sure I haven't overlooked something since it is standard now with the DA setup process.
4. Is there another place or conf file where spamd should be tweaked or something which will effect other performance related issues... with regards to Apache, Exim, or Spamassassin?

Examples of Exim related log errors:

2006-11-06 01:10:33 H=(218.16.94.158) [218.16.94.158] incomplete transaction (connection lost) from <[email protected]> for [email protected]: 1 Time(s)
2006-11-06 01:11:15 H=(218.58.177.149) [218.58.177.149] incomplete transaction (connection lost) from <[email protected]> for [email protected]: 1 Time(s)
2006-11-06 01:12:59 H=pool-71-109-162-3.lsanca.dsl-w.verizon.net (CPQ73745201364) [71.109.162.3] incomplete transaction (RSET) from <[email protected]> for [email protected]: 1 Time(s)
2006-11-06 01:14:09 H=(221.232.130.115) [221.232.130.115] incomplete transaction (connection lost) from <[email protected]> for [email protected]: 1 Time(s)

2006-11-06 10:20:34 Connection from [189.130.215.74] refused: too many connections: 8 Time(s)
2006-11-06 10:20:34 Connection from [193.52.208.233] refused: too many connections: 1 Time(s)
2006-11-06 10:20:34 Connection from [196.207.206.218] refused: too many connections: 1 Time(s)
2006-11-06 10:20:35 Connection from [189.130.215.74] refused: too many connections: 4 Time(s)

I REALLY, really appreciate any suggestions or help you can send my way.

 

[patrik]

I don't know about your configuration but we had a similar problem where the system basically walked with its knees (swedish expression for having a LOT to do). I found the cause of this problem being huge amount of mails delivered to a catch-all account. Spammers had used a domain which was located on our server for sending spam (note, spam didn't go FROM our server). When some (read: a huge amount of) mails was undelivered the receiving mailservers tried to return the message to sender. Although the sender address didn't exist on our server, the domain was located on the server and the user owning this domain had setup a catch-all account for his domain going to his mailbox. So Exim did deliver every single return-to-sender mail to the users mailbox. The mailbox took about 20GB or so when I managed to stop Exim from delivering those mails and at the same time the server went smooth again.

I have no idea if you're experiencing the same thing but you might check it out at least.

 

[nhouse]

I appreciate your input... I have checked things to make sure all of the domains do not use a catch all account... I have them all set to "drop and ignore" these emails... I think DA calls it the black hole.

I have added a domain from another server which usually gets a lot of spam... so that brings up another question... this guy doesn't use an email account associated with his domain (yea, I know it is odd) but uses his old faithful ISP account which I send to via a form on his site. With all of that said, if I set his DA account to "0" email accounts, will that effectively take him out of the loop for mail related processing? I would assume so.

 

[Yikes2000]

Or you could pipe his mail to /dev/null:

~/.forward:

"| cat >/dev/null"

 

[pucky]

I dont understand why people continue to futz with spamd. Just disable the stupid thing. It a waste of system resource. What is the purpose of running spamd? Also, disabled SA in the users control panel. If you disable spamd then there is no use of SA in the users control panel.

Then.... get yourself a decent spam solution, one that works at the server level not the user level. That way you control all spam scanned and deliver the messages to every user if the message passes SA testing. No need to scan spam twice either.

 

[pucky]

I appreciate your input... I have checked things to make sure all of the domains do not use a catch all account... I have them all set to "drop and ignore" these emails... I think DA calls it the black hole.

I have added a domain from another server which usually gets a lot of spam... so that brings up another question... this guy doesn't use an email account associated with his domain (yea, I know it is odd) but uses his old faithful ISP account which I send to via a form on his site. With all of that said, if I set his DA account to "0" email accounts, will that effectively take him out of the loop for mail related processing? I would assume so.

If there are no email accounts setup and his catch-all is OFF then there will be no deliveries but that doesnt mean that messages wont be sent to your box because they wll since the domain resides on the box the only difference being is all mail delivery will fail to deliver at SMTP time which is what you want if everything is off.

 

[nobaloney]

get yourself a decent spam solution, one that works at the server level not the user level. That way you control all spam scanned and deliver the messages to every user if the message passes SA testing. No need to scan spam twice either.

Which is exactly why I wrote the SpamBlocker exim.conf file included with DirectAdmin.

We tried an external spamblocking company, and unfortunately they've become quite overzealous recently and many of our clients asked us to not use them.

So we're working on SpamBlocker exim.conf version 3 now.

Jeff