DOS attacked :(

Rick Cooper rcooper at DWFORD.COM
Thu Mar 4 03:31:06 GMT 2004


Sorry to top post, but

Are you sure that Net::CIDR is installed ( I think that
requirement came after your original install version), and are
you using a local caching name server? Slow downs in the network
test arena are many time caused by resolver problems.

> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Pete
> Sent: Wednesday, March 03, 2004 9:33 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: DOS attacked :(
>
>
> Stephen Swaney wrote:
>
> >>-----Original Message-----
> >>From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> >>Behalf Of Pete
> >>Sent: Wednesday, March 03, 2004 8:10 PM
> >>To: MAILSCANNER at JISCMAIL.AC.UK
> >>Subject: Re: DOS attacked :(
> >>
> >>Kevin Spicer wrote:
> >>
> >>
> >>
> >>>Is update_virus_scanners running? If for some
> reason a scanner update
> >>>hangs MailScanner will stop processing mail.  If
> this is the case please
> >>>post which scanner is the problem so that timeout
> code can be added to
> >>>its wrapper script.
> >>>
> >>>Is Spamassasin trying to use pyzor?  Make sure its
> not if it isn't
> >>>working properly.
> >>>
> >>>Maybe turn SA off for a while to catch up?  Or just
> turn off all SA's
> >>>network checks.
> >>>
> >>>Maybe the bayes database is causing a problem, try
> turning off bayes
> >>>(turn off the bayes auto rebuild in MailScanner too
> if your version has
> >>>it).
> >>>
> >>>
> >>>
> >>First thing i did was turn off bayes.
> >>Yes virus update scaner is running, although i did
> see some deferred for
> >>600secs messages,
> >>
> >>
> >
> >This is normal with the latest versions of
> MailScanner. Julian added a delay
> >so we wouldn't all hit the ClamAV servers at the top
> of the hour. You might
> >want to change the delay in your
> update_virus_scanners so we don't all hit
> >the servers at 600 seconds after the hour.
> >
> >
> Will change that now. Thanks.
>
> >>but recently i did see it had updated. I have only
> >>updated tpo clamavmodule this morning, previously
> was just clamav.
> >>I have already added Use_pyzor 0 since i couldnt get
> it to work (is it a
> >>matter of install and then restart MS?)
> >>
> >>
> >
> >Form your earlier post:
> >
> >debug: Pyzor is available: /usr/bin/pyzor
> >debug: entering helper-app run mode
> >debug: Pyzor: got response: /usr/bin/python2: can't open file
> >'/usr/bin/pyzor'
> >
> >There is something wrong with your Pyzor
> installation. You can't open
> >/usr/bin/Pyzor. Leave
> >
> >use_pyzor      0
> >
> >Set in your spam.assassin.prefs.conf until you get
> this sorted out.
> >
> >
> Yep, have left this on since i first tried to install
> pyzor, that output
> appears in the debug anyway, i havent tried to install
> razor2 yet as i
> stopp installed stuff when i didnt get pyzor doing,
> dcc weas working
> fine, but disabled it when these troubles started and
> will off for the
> time being. All 3 entries exist in
> spa,.assassin.prefs.conf usepzyor
> 0, razor and dcc.
>
> >>I turned did skip rbls and this made a huge
> difference in reducing the
> >>queue size. I have now turned them back on.
> >>
> >>
> >
> >This is telling you something. When you turn off
> SpamAssassin network
> >checks, things improve. When you turn them on things
> get worse. You are
> >having a problem running network checks. Try running:
> >
> >spamassassin -D -p
> /etc/MailScanner/spam.assassin.prefs.conf --lint
> >
> >and see if you can see or feel any delays.
> >
> >Also from your debug output:
> >debug: Razor2 is not available
> >
> >leave use_razor2       0
> >
> >off until you get this sorted out. Often this is
> caused by not following the
> >Install instructions, i.e. running
> >
> >razor-admin -create
> >razor-admin -register
> >
> >After the install. Go to the razor web site and read
> the installation
> >documents.
> >
> >
> >
> >>I have the leatest stable release, and now i have
> turned off auto
> >>rebuild too.
> >>
> >>
> >
> >>From looking at your debug output you're not trying
> to use Bayes at this
> >point.
> >
> >
> >
> >>Seems like the queue gets reduced, then something
> becomes broken again
> >>and then queue grows and this repeats - have had
> never had a message
> >>stuck before, not even one - today there were 120,
> this went down to 40
> >>when i made the changes suggested above, then sa
> timeouts and back up 100.
> >>
> >>
> >
> >They are not stuck, they're just delayed. We have
> some ISP customer's whose
> >incoming queues fluctuate for 2 to 700 message
> waiting depending on the time
> >of day and spam loads.
> >
> >
> I mentioned this because prior to upgrading i never
> ever had any
> messages delayed in the queue, now i have a 100 all the time.
>
> >>I don't really want to turn off SA, I want to stop
> spam. SO i will
> >>persevere for the rest of the day trying to get this
> workiing again.
> >>Thanks for your help.
> >>
> >>
> >>
> >
> >You'll still stop spam with the network checks off -
> just not as much.
> >SpamAssassin weighs scores differently if network
> checks are off so it's not
> >as bad as it seems.
> >
> >And finally
> >
> >1. What versions of MailScanner and SpamAssassin were
> you running before the
> >upgrade
> >2. What hardware - processor, disks and memory are you using?
> >3. What is your daily email volume?
> >
> >Steve
> >
> >Stephen Swaney
> >President
> >Fortress Systems Ltd.
> >Steve.Swaney at FSL.com
> >
> >
> >
> >
> RH9, untouched or upgraded since original installation.
> I started with MS4.24-5, postfix 2.16, sa2.60, clamav
> .60, mailwatch 3.b
> upgraded to
> MS 4.27.7, postfix is unchanged and untouched, sa 2.63
> (from source),
> clamav .67, mailwatch .4>.51
>
> Its a dual P200 (thats two hundred)NEC server, many GB
> os spare HDD
> space and 512mb RAM. This machine ran perfectly with
> the original
> versions i installed. We get around 2000 messages per
> day on this machine.
>
> I have been hassling for better hardware now that i
> have proven this
> works (the plan was to prove it work without spending
> any cash) but
> company has merged and now boss wont approve new
> hardware, he advises if
> i need new hardware, must use a P2 400 PC, which i am
> not willing to try
> with. With this low mail volume i rarely see anymore
> than %50 CPU usage
> on either cpu.
>
> I was just thinking Julian says to use perl SA, but i
> had already
> installed from source originally so thought it was
> best to upgrade this
> way, could this be the killer, i need to remove and
> install with cpan?
> Or install from cpan and leave the source install alone?
>
> >--
> >This message has been scanned for viruses and
> >dangerous content by Fortress Secure Mail Gateway
> >and was found to be clean.
> >
> >Fortress Systems Ltd. - http://www.fsl.com
> >
> >
> >
> >
> >
> >
> wow - thanks for taking the time to help me, much appreciated.
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>



More information about the MailScanner mailing list