spamd load
- Thread starter outpernet
- Start date
We have had the same problem for a few weeks. In our case it is spam.
Reviewing the exim logs I have come to realize that we are being bombarded by connections from spammers. They appear to be cycling through IP addresses rapidly to facilitate a dictionary attack on our domains. This is one where they use a list of names and see if they can get a hit.
When the attack takes place we are getting three to seven connections per second. The spammers are working from a large pool of IP addresses and discard them after one or two messages.
This means the attack may be too dispersed to stop at the firewall.
Reviewing the exim logs I have come to realize that we are being bombarded by connections from spammers. They appear to be cycling through IP addresses rapidly to facilitate a dictionary attack on our domains. This is one where they use a list of names and see if they can get a hit.
When the attack takes place we are getting three to seven connections per second. The spammers are working from a large pool of IP addresses and discard them after one or two messages.
This means the attack may be too dispersed to stop at the firewall.
I am running a script on a non da server for this purpose. It detects the dictionary attacks (set by threshold value) and then blocks the ips. After running this for a week, I have found this to be very useful. Ideal no, but it does reduce load and spam.
Unfortunately this script is written for sendmail. The author doesn't know how to port it to Exim.
Unfortunately this script is written for sendmail. The author doesn't know how to port it to Exim.
outpernet said:Thankyou! yep, when its happening, exim has a lot of process... Do you did any thing to stop it or it stop itself when spammers get tired?
Have you considered RBL (rblsmtpd)? In my experience RBL can be VERY effective in rejecting SPAM right from the start before it even reaches spamassassin. So the ones that do slip through will be taken care of by spamassassin without frying the CPU in the process.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
DA is already set up to run RBLs; check these forums for SpamBlocker.
All you need to do is put the domains you want to be SpamBlocked (use RBLs) into /etc/virtual/use_rbl_domains (exactly as they apper in /etc/virtual/domains) and edit exim.conf so that instead of pointing people to example.com you send them to a page on your own domain.
Don't forget to restart exim any time you edit the exim.conf file.
Jeff
All you need to do is put the domains you want to be SpamBlocked (use RBLs) into /etc/virtual/use_rbl_domains (exactly as they apper in /etc/virtual/domains) and edit exim.conf so that instead of pointing people to example.com you send them to a page on your own domain.
Don't forget to restart exim any time you edit the exim.conf file.
Jeff
We use the latest iteration of the exim.conf file. I also added a couple of perl routines to the exim.pl file to help deal with dictionary attacks.
An analysis of the logs yielding the dictionary in use. Using the least similar names to those on our server, we wrote a perl script to add the senders IP address to a MySql database, which is used to drop senders.
We have also found that dropping seems to work better than denying. But, we are watching that closely because we still get hit by punishing volumes of spam from these people.
An analysis of the logs yielding the dictionary in use. Using the least similar names to those on our server, we wrote a perl script to add the senders IP address to a MySql database, which is used to drop senders.
We have also found that dropping seems to work better than denying. But, we are watching that closely because we still get hit by punishing volumes of spam from these people.
Bclancey, di you think the following would work on a DA server?
http://www.configserver.com/free/eximdeny.html
http://www.configserver.com/free/eximdeny.html
Well the problem with this script is the setting of the default email accounts to: fail This could be a problem for many people. I know the script I am using does not have this requirement. It would seem fairly easy for an Acl to figure out what is real and what is not.
I tried the script, but it did not work well for us.
It seemed to only work if multiple recipients are included in the message.
The attacks we are seeing are widely distributed. Individual IPs send a portion of the target list. Messages are generally sent one at a time with only one recipient. This is a high bandwidth attack on mail servers, with many different email messages being sent.
I took a harsh approach to the problem. But, I maintain corporate servers and do not sell space.
It seemed to only work if multiple recipients are included in the message.
The attacks we are seeing are widely distributed. Individual IPs send a portion of the target list. Messages are generally sent one at a time with only one recipient. This is a high bandwidth attack on mail servers, with many different email messages being sent.
I took a harsh approach to the problem. But, I maintain corporate servers and do not sell space.
Incidentally . . . this is as bad as it gets:
The problem was dead exim processes from a massive, highly distributed spam blast. We had 58 mostly dead exim processes running by this time.
Code:
top - 21:45:51 up 2 days, 13:12, 0 users, load average: 88.88, 89.55, 86.00
Tasks: 195 total, 1 running, 192 sleeping, 0 stopped, 2 zombie
Cpu(s): 3.5% us, 0.6% sy, 0.0% ni, 93.6% id, 2.3% wa, 0.0% hi, 0.0% si
Mem: 515556k total, 512684k used, 2872k free, 532k buffers
Swap: 1048312k total, 1048312k used, 0k free, 5464k cachedThe problem was dead exim processes from a massive, highly distributed spam blast. We had 58 mostly dead exim processes running by this time.
got a serious problem here guys using spamassassin 3.02
noticed the server was been sluggish, it has 1 gig of ram and 2 gig swap, and on examination I am using 71% of my swap memory, spamd is the cheif culprit as it has well over 30 child processes, killall spamd isnt working, any idea how to resolve this without rebooting or limit child processes?
noticed the server was been sluggish, it has 1 gig of ram and 2 gig swap, and on examination I am using 71% of my swap memory, spamd is the cheif culprit as it has well over 30 child processes, killall spamd isnt working, any idea how to resolve this without rebooting or limit child processes?
consider the following:
1- Use a local resolver (dns)
2- Disable UTF-8 text processing
check this out:
http://wiki.apache.org/spamassassin/Utf8Performance
3- If you can afford to reduce accuracy consider turning off network tests and run it with -L
4- If you have too many child processes and are swapping as well, try offloading your log files to a separate disk if possible
5- If possible avoid body rules with "*" or "+" attributes
1- Use a local resolver (dns)
2- Disable UTF-8 text processing
check this out:
http://wiki.apache.org/spamassassin/Utf8Performance
3- If you can afford to reduce accuracy consider turning off network tests and run it with -L
4- If you have too many child processes and are swapping as well, try offloading your log files to a separate disk if possible
5- If possible avoid body rules with "*" or "+" attributes
Well I think it got messed up I reinstalled it and all is well I am at 5 processes again, it was completely ignoring the -m 5 switch.
I am going to start using my local name server and enable caching, I will look into the UTF-8 thing as well.
thanks
I am going to start using my local name server and enable caching, I will look into the UTF-8 thing as well.
thanks