Trobles with spamassassin - SpamAssassin

This is a discussion on Trobles with spamassassin - SpamAssassin ; Good morning everybody, My name is Francesco, from ThyssenKrupp. I'm mailing you for some suggestions about a problem which I find in my antispam system, based on spamassassin. My system has the following characteristics: - A two nodes cluster based, ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Trobles with spamassassin

  1. Trobles with spamassassin

    Good morning everybody,

    My name is Francesco, from ThyssenKrupp.

    I'm mailing you for some suggestions about a problem which I find in my
    antispam system, based on spamassassin.

    My system has the following characteristics:

    - A two nodes cluster based, active-active, one for the
    incoming email and the other for the outgoing email. If a node crashes,
    the other brings the service on its shoulders.

    - Each node has 4GB RAM and two processors

    - O.S. Fedora core 3

    - Mail server qmail 1.0.3

    - Antivirus clamav 0.87.1

    - Antispam spamassassin 3.0.4

    - Cluster controller heartbeat

    - Interface qmail-scanner-queue.pl

    Starting from the 15th of July, I find, sometimes, in the log file of
    qmail-scanner-queue.pl the following alert instead of normal score: SA:
    finished scan in 600.010015 secs - hits=?/?.

    I have already searched on the official site of spamassassin and it
    seems to be generated by some kind of trouble using the web scansion. I
    really used pyzor and razor2 scansion, so I took them out from local.cf.
    This action caused the decrease of average processing time from 15
    seconds to 3.5 seconds for each treated email. But I still have some
    kind of web search because the system is configured to use RBL search
    too, and I can't take it out. The time has been improved but the problem
    stays!

    I have to write and to upgrade a local configuration file, named
    local_rules.cf which has reached the dimension of 250KB it is very
    useful to stop a lot of SPAM which is not stopped by the other rules.
    The problem started to appear after one of the upgrade I usually have to
    do, which wasn't so dramatic to justify this behaviour, I think.

    Looking at my MRTG graphics I have noticed that the problem appears when
    the levels of system load and cpu usage are higher then usual but not
    the level of messages, which seems to be non influential.

    Someone told me that starting from middle of July a lot of public
    servers have been subject to attacks by crackers, and the attacks are
    still running.

    I really think that the problem is caused by the dimensions of the local
    configuration file, but every day I receive more than 15000 emails and
    the problem appears for no more than 50-60 emails!



    If you know the source of the problem or how to intervene to solve it I
    will be very grateful for your help.

    Thank you very much anyway.



    Best Regards

    Francesco Vincenti







  2. RE: Trobles with spamassassin

    Hi

    You'll probably get a lot of this, but a lot the software you mention is really really old, and I'm surprised you're clamav is indeed getting it's regular updates.

    Also a lot of people will recommend NOT using a fast moving linux distribution like Fedora as server.

    Once you've upgraded spamassassin and clamav then I'd have a look at this for some ideas about getting better performance out of SA..

    http://wiki.mailscanner.info/doku.ph...f_spamassassin

    --
    Martin Hepworth
    Snr Systems Administrator
    Solid State Logic
    Tel: +44 (0)1865 842300

    > -----Original Message-----
    > From: Vincenti Francesco [mailto:Francesco.Vincenti@aspasiel.it]
    > Sent: 19 September 2008 08:35
    > To: users@spamassassin.apache.org
    > Subject: Trobles with spamassassin
    >
    > Good morning everybody,
    >
    > My name is Francesco, from ThyssenKrupp.
    >
    > I'm mailing you for some suggestions about a problem which I
    > find in my antispam system, based on spamassassin.
    >
    > My system has the following characteristics:
    >
    > - A two nodes cluster based, active-active, one for
    > the incoming email and the other for the outgoing email. If a
    > node crashes, the other brings the service on its shoulders.
    >
    > - Each node has 4GB RAM and two processors
    >
    > - O.S. Fedora core 3
    >
    > - Mail server qmail 1.0.3
    >
    > - Antivirus clamav 0.87.1
    >
    > - Antispam spamassassin 3.0.4
    >
    > - Cluster controller heartbeat
    >
    > - Interface qmail-scanner-queue.pl
    >
    > Starting from the 15th of July, I find, sometimes, in the log
    > file of qmail-scanner-queue.pl the following alert instead of
    > normal score: SA: finished scan in 600.010015 secs - hits=?/?.
    >
    > I have already searched on the official site of spamassassin
    > and it seems to be generated by some kind of trouble using
    > the web scansion. I really used pyzor and razor2 scansion, so
    > I took them out from local.cf. This action caused the
    > decrease of average processing time from 15 seconds to 3.5
    > seconds for each treated email. But I still have some kind of
    > web search because the system is configured to use RBL search
    > too, and I can't take it out. The time has been improved but
    > the problem stays!
    >
    > I have to write and to upgrade a local configuration file,
    > named local_rules.cf which has reached the dimension of 250KB
    > it is very useful to stop a lot of SPAM which is not stopped
    > by the other rules. The problem started to appear after one
    > of the upgrade I usually have to do, which wasn't so dramatic
    > to justify this behaviour, I think.
    >
    > Looking at my MRTG graphics I have noticed that the problem
    > appears when the levels of system load and cpu usage are
    > higher then usual but not the level of messages, which seems
    > to be non influential.
    >
    > Someone told me that starting from middle of July a lot of
    > public servers have been subject to attacks by crackers, and
    > the attacks are still running.
    >
    > I really think that the problem is caused by the dimensions
    > of the local configuration file, but every day I receive more
    > than 15000 emails and the problem appears for no more than
    > 50-60 emails!
    >
    >
    >
    > If you know the source of the problem or how to intervene to
    > solve it I will be very grateful for your help.
    >
    > Thank you very much anyway.
    >
    >
    >
    > Best Regards
    >
    > Francesco Vincenti
    >
    >
    >
    >
    >
    >





    ************************************************** ********************
    Confidentiality : This e-mail and any attachments are intended for the
    addressee only and may be confidential. If they come to you in error
    you must take no action based on them, nor must you copy or show them
    to anyone. Please advise the sender by replying to this e-mail
    immediately and then delete the original from your computer.
    Opinion : Any opinions expressed in this e-mail are entirely those of
    the author and unless specifically stated to the contrary, are not
    necessarily those of the author's employer.
    Security Warning : Internet e-mail is not necessarily a secure
    communications medium and can be subject to data corruption. We advise
    that you consider this fact when e-mailing us.
    Viruses : We have taken steps to ensure that this e-mail and any
    attachments are free from known viruses but in keeping with good
    computing practice, you should ensure that they are virus free.

    Red Lion 49 Ltd T/A Solid State Logic
    Registered as a limited company in England and Wales
    (Company No:5362730)
    Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,
    United Kingdom
    ************************************************** ********************


  3. Re: Trobles with spamassassin

    On Fri, 19 Sep 2008, Vincenti Francesco wrote:

    > Good morning everybody,
    >
    > My name is Francesco, from ThyssenKrupp.
    >
    > I'm mailing you for some suggestions about a problem which I find in my
    > antispam system, based on spamassassin.
    >

    [snip..]
    > - Each node has 4GB RAM and two processors
    >
    > - O.S. Fedora core 3
    >
    > - Mail server qmail 1.0.3
    >
    > - Antivirus clamav 0.87.1
    >
    > - Antispam spamassassin 3.0.4
    >
    > - Cluster controller heartbeat
    >
    > - Interface qmail-scanner-queue.pl
    >
    > Starting from the 15th of July, I find, sometimes, in the log file of
    > qmail-scanner-queue.pl the following alert instead of normal score: SA:
    > finished scan in 600.010015 secs - hits=?/?.

    [snip..]
    >
    > I have to write and to upgrade a local configuration file, named
    > local_rules.cf which has reached the dimension of 250KB it is very
    > useful to stop a lot of SPAM which is not stopped by the other rules.
    > The problem started to appear after one of the upgrade I usually have to
    > do, which wasn't so dramatic to justify this behaviour, I think.


    Two things;
    1) That is an obsolete version of clamav (current version is up to 0.94)
    The database updates probably are not working with your client as
    the database contains features that are version specific.
    So you may not be protected at all due to database VS client version
    mismatches.
    Update it promptly.

    2) That is an obsolete version of spamassassin, (v3.2.5 is current, v3.3
    almost out.) Spam is a constantly thing thing as spammers try to
    circumvent anti-spam measures, so spamassassin evolves to try to beat it.

    This you have already found by your need for that very large local config
    file. If you update to a more recent version of spamassassin you can
    probably get rid of that oversized local config file and get better
    performance than you have already.

    Bottom line, update both ClamAV & spamassassin.


    --
    Dave Funk University of Iowa
    College of Engineering
    319/335-5751 FAX: 319/384-0549 1256 Seamans Center
    Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
    #include
    Better is not better, 'standard' is better. B{


+ Reply to Thread