DOS attacked :(

[Stephen Swaney]

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Pete
> Sent: Wednesday, March 03, 2004 8:10 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: DOS attacked :(
>
> Kevin Spicer wrote:
>
> >Is update_virus_scanners running? If for some reason a scanner update
> >hangs MailScanner will stop processing mail.  If this is the case please
> >post which scanner is the problem so that timeout code can be added to
> >its wrapper script.
> >
> >Is Spamassasin trying to use pyzor?  Make sure its not if it isn't
> >working properly.
> >
> >Maybe turn SA off for a while to catch up?  Or just turn off all SA's
> >network checks.
> >
> >Maybe the bayes database is causing a problem, try turning off bayes
> >(turn off the bayes auto rebuild in MailScanner too if your version has
> >it).
> >
> >
> >
> First thing i did was turn off bayes.
> Yes virus update scaner is running, although i did see some deferred for
> 600secs messages,

This is normal with the latest versions of MailScanner. Julian added a delay
so we wouldn't all hit the ClamAV servers at the top of the hour. You might
want to change the delay in your update_virus_scanners so we don't all hit
the servers at 600 seconds after the hour.


> but recently i did see it had updated. I have only
> updated tpo clamavmodule this morning, previously was just clamav.
> I have already added Use_pyzor 0 since i couldnt get it to work (is it a
> matter of install and then restart MS?)

Form your earlier post:

debug: Pyzor is available: /usr/bin/pyzor
debug: entering helper-app run mode
debug: Pyzor: got response: /usr/bin/python2: can't open file
'/usr/bin/pyzor'

There is something wrong with your Pyzor installation. You can't open
/usr/bin/Pyzor. Leave

use_pyzor       0

Set in your spam.assassin.prefs.conf until you get this sorted out.

> I turned did skip rbls and this made a huge difference in reducing the
> queue size. I have now turned them back on.

This is telling you something. When you turn off SpamAssassin network
checks, things improve. When you turn them on things get worse. You are
having a problem running network checks. Try running:

spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint

and see if you can see or feel any delays.

Also from your debug output:
debug: Razor2 is not available

leave use_razor2        0

off until you get this sorted out. Often this is caused by not following the
Install instructions, i.e. running

razor-admin -create
razor-admin -register

After the install. Go to the razor web site and read the installation
documents.

> I have the leatest stable release, and now i have turned off auto
> rebuild too.

>From looking at your debug output you're not trying to use Bayes at this
point.

> Seems like the queue gets reduced, then something becomes broken again
> and then queue grows and this repeats - have had never had a message
> stuck before, not even one - today there were 120, this went down to 40
> when i made the changes suggested above, then sa timeouts and back up 100.

They are not stuck, they're just delayed. We have some ISP customer's whose
incoming queues fluctuate for 2 to 700 message waiting depending on the time
of day and spam loads.

> I don't really want to turn off SA, I want to stop spam. SO i will
> persevere for the rest of the day trying to get this workiing again.
> Thanks for your help.
>

You'll still stop spam with the network checks off - just not as much.
SpamAssassin weighs scores differently if network checks are off so it's not
as bad as it seems.

And finally

1. What versions of MailScanner and SpamAssassin were you running before the
upgrade
2. What hardware - processor, disks and memory are you using?
3. What is your daily email volume?

Steve

Stephen Swaney
President
Fortress Systems Ltd.
Steve.Swaney at FSL.com



--
This message has been scanned for viruses and
dangerous content by Fortress Secure Mail Gateway
and was found to be clean.

Fortress Systems Ltd. - http://www.fsl.com