DOS attacked :(

Thu Mar 4 02:32:42 GMT 2004

Stephen Swaney wrote:

>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>>Behalf Of Pete
>>Sent: Wednesday, March 03, 2004 8:10 PM
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: DOS attacked :(
>>
>>Kevin Spicer wrote:
>>
>>
>>
>>>Is update_virus_scanners running? If for some reason a scanner update
>>>hangs MailScanner will stop processing mail.  If this is the case please
>>>post which scanner is the problem so that timeout code can be added to
>>>its wrapper script.
>>>
>>>Is Spamassasin trying to use pyzor?  Make sure its not if it isn't
>>>working properly.
>>>
>>>Maybe turn SA off for a while to catch up?  Or just turn off all SA's
>>>network checks.
>>>
>>>Maybe the bayes database is causing a problem, try turning off bayes
>>>(turn off the bayes auto rebuild in MailScanner too if your version has
>>>it).
>>>
>>>
>>>
>>First thing i did was turn off bayes.
>>Yes virus update scaner is running, although i did see some deferred for
>>600secs messages,
>>
>>
>
>This is normal with the latest versions of MailScanner. Julian added a delay
>so we wouldn't all hit the ClamAV servers at the top of the hour. You might
>want to change the delay in your update_virus_scanners so we don't all hit
>the servers at 600 seconds after the hour.
>
>
Will change that now. Thanks.

>>but recently i did see it had updated. I have only
>>updated tpo clamavmodule this morning, previously was just clamav.
>>I have already added Use_pyzor 0 since i couldnt get it to work (is it a
>>matter of install and then restart MS?)
>>
>>
>
>Form your earlier post:
>
>debug: Pyzor is available: /usr/bin/pyzor
>debug: entering helper-app run mode
>debug: Pyzor: got response: /usr/bin/python2: can't open file
>'/usr/bin/pyzor'
>
>There is something wrong with your Pyzor installation. You can't open
>/usr/bin/Pyzor. Leave
>
>use_pyzor      0
>
>Set in your spam.assassin.prefs.conf until you get this sorted out.
>
>
Yep, have left this on since i first tried to install pyzor, that output
appears in the debug anyway, i havent tried to install razor2 yet as i
stopp installed stuff when i didnt get pyzor doing, dcc weas working
fine, but disabled it when these troubles started and will off for the
time being. All 3 entries exist in spa,.assassin.prefs.conf usepzyor
0, razor and dcc.

>>I turned did skip rbls and this made a huge difference in reducing the
>>queue size. I have now turned them back on.
>>
>>
>
>This is telling you something. When you turn off SpamAssassin network
>checks, things improve. When you turn them on things get worse. You are
>having a problem running network checks. Try running:
>
>spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint
>
>and see if you can see or feel any delays.
>
>Also from your debug output:
>debug: Razor2 is not available
>
>leave use_razor2       0
>
>off until you get this sorted out. Often this is caused by not following the
>Install instructions, i.e. running
>
>razor-admin -create
>razor-admin -register
>
>After the install. Go to the razor web site and read the installation
>documents.
>
>
>
>>I have the leatest stable release, and now i have turned off auto
>>rebuild too.
>>
>>
>
>>From looking at your debug output you're not trying to use Bayes at this
>point.
>
>
>
>>Seems like the queue gets reduced, then something becomes broken again
>>and then queue grows and this repeats - have had never had a message
>>stuck before, not even one - today there were 120, this went down to 40
>>when i made the changes suggested above, then sa timeouts and back up 100.
>>
>>
>
>They are not stuck, they're just delayed. We have some ISP customer's whose
>incoming queues fluctuate for 2 to 700 message waiting depending on the time
>of day and spam loads.
>
>
I mentioned this because prior to upgrading i never ever had any
messages delayed in the queue, now i have a 100 all the time.

>>I don't really want to turn off SA, I want to stop spam. SO i will
>>persevere for the rest of the day trying to get this workiing again.
>>Thanks for your help.
>>
>>
>>
>
>You'll still stop spam with the network checks off - just not as much.
>SpamAssassin weighs scores differently if network checks are off so it's not
>as bad as it seems.
>
>And finally
>
>1. What versions of MailScanner and SpamAssassin were you running before the
>upgrade
>2. What hardware - processor, disks and memory are you using?
>3. What is your daily email volume?
>
>Steve
>
>Stephen Swaney
>President
>Fortress Systems Ltd.
>Steve.Swaney at FSL.com
>
>
>
>
RH9, untouched or upgraded since original installation.
I started with MS4.24-5, postfix 2.16, sa2.60, clamav .60, mailwatch 3.b
upgraded to
MS 4.27.7, postfix is unchanged and untouched, sa 2.63 (from source),
clamav .67, mailwatch .4>.51

Its a dual P200 (thats two hundred)NEC server, many GB os spare HDD
space and 512mb RAM. This machine ran perfectly with the original
versions i installed. We get around 2000 messages per day on this machine.

I have been hassling for better hardware now that i have proven this
works (the plan was to prove it work without spending any cash) but
company has merged and now boss wont approve new hardware, he advises if
i need new hardware, must use a P2 400 PC, which i am not willing to try
with. With this low mail volume i rarely see anymore than %50 CPU usage
on either cpu.

I was just thinking Julian says to use perl SA, but i had already
installed from source originally so thought it was best to upgrade this
way, could this be the killer, i need to remove and install with cpan?
Or install from cpan and leave the source install alone?

>--
>This message has been scanned for viruses and
>dangerous content by Fortress Secure Mail Gateway
>and was found to be clean.
>
>Fortress Systems Ltd. - http://www.fsl.com
>
>
>
>
>
>
wow - thanks for taking the time to help me, much appreciated.