Re: [qmailtoaster] Re: Issues with spam causing high load and unresponsive server
I disabled the baysian filter and autolearn to see if that would help. I also checked the smtp logs again, and I'm still seeing entries like this: 2006-11-07 11:57:13.124734500 CHKUSER accepted rcpt: from [EMAIL PROTECTED]:: remote dom1:unknown:83.6.253.146 rcpt [EMAIL PROTECTED] : found existing recipient 2006-11-07 11:57:13.124741500 CHKUSER accepted rcpt: from [EMAIL PROTECTED]:: remote dom1:unknown:83.6.253.146 rcpt [EMAIL PROTECTED] : found existing recipient 2006-11-07 11:57:13.124745500 CHKUSER accepted rcpt: from [EMAIL PROTECTED]:: remote dom1:unknown:83.6.253.146 rcpt [EMAIL PROTECTED] : found existing recipient 2006-11-07 11:57:13.124763500 CHKUSER accepted rcpt: from [EMAIL PROTECTED]:: remote dom1:unknown:83.6.253.146 rcpt [EMAIL PROTECTED] : found existing recipient 2006-11-07 11:57:13.124768500 CHKUSER accepted rcpt: from [EMAIL PROTECTED]:: remote dom1:unknown:83.6.253.146 rcpt [EMAIL PROTECTED] : found existing recipient 2006-11-07 11:57:13.124776500 CHKUSER accepted rcpt: from [EMAIL PROTECTED]:: remote dom1:unknown:83.6.253.146 rcpt [EMAIL PROTECTED] : found existing recipient 2006-11-07 11:57:13.126403500 CHKUSER accepted rcpt: from [EMAIL PROTECTED]:: remote dom1:unknown:83.6.253.146 rcpt [EMAIL PROTECTED] : found existing recipient None of those accounts exist, yet it says found existing recipient ? I don't understand that part. Josh On 11/6/06, Joshua Zukerman [EMAIL PROTECTED] wrote: Well, I can post what qmailtoaster mrtg is curently showing: concurrency: http://i13.tinypic.com/436j4uf.png messages: http://i13.tinypic.com/2cr0hz8.png smtp: http://i14.tinypic.com/40mbodi.png smtp allow/deny: http://i13.tinypic.com/2yw7olx.png spamd: http://i13.tinypic.com/2eocutk.png On 11/6/06, Eric Shubes [EMAIL PROTECTED] wrote: Like I said, I don't know mrtg, but what makes you doubt its accuracy? Joshua Zukerman wrote: MRTG (on the network interface) sometimes shows some peaks of traffic, like 300kbit, nothing too serious. qmailmrtg notes quite a bunch of smtp connections but I think it isn't too accurate. On 11/6/06, Eric Shubes [EMAIL PROTECTED] wrote: That looks/sounds ok to me. Is your network connection jammed when you have these unresponsive episodes? I'm not familiar with the the mrtg data, but do you see anything there that coincides with the episodes? Joshua Zukerman wrote: I use a pretty much stock qmailtoaster install. I believe the only customizations were the RBLs and my spamassassin configuration file. Here it is: # How many hits before a message is considered spam. required_score 5.0 # Change the subject of suspected spam rewrite_header subject *SPAM* # Encapsulate spam in an attachment (0=no, 1=yes, 2=safe) report_safe 1 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning bayes_auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 1 # Mail using languages used in these country codes will not be marked # as being possibly spam in a foreign language. # - english ok_languagesen # Mail using locales used in these country codes will not be marked # as being possibly spam in a foreign language. ok_locales en score RCVD_IN_BL_SPAMCOP_NET 4 score RCVD_IN_RELAYS_ORDB_ORG 4 score RCVD_IN_DSBL 4 blacklist_from [addresses here] whitelist_from [addresses here] I still get quite a bit of spam into my inbox, but Thunderbird does a pretty good job of filtering that out. No errors in the spamd logs. Most e-mail scanned by spamassassin and marked as spam says it takes around 0.5 to 3 secs to scan and be marked as spam. It does appear I am seeing status 256 in my smtp log files. Here is a snip: 2006-11-06 10:44:55.701627500 tcpserver: status: 2/50 2006-11-06 10:45:02.256818500 tcpserver: status: 3/50 2006-11-06 10:45:05.314525500 tcpserver: end 5226 status 256 2006-11-06 10:45:05.314531500 tcpserver: status: 2/50 2006-11-06 10:45:11.114846500 tcpserver: end 5228 status 256 2006-11-06 10:45:11.114852500 tcpserver: status: 1/50 2006-11-06 10:45:35.024883500 tcpserver: status: 2/50 2006-11-06 10:45:39.820891500 tcpserver: end 5273 status 256 2006-11-06 10:45:39.820897500 tcpserver: status: 1/50 2006-11-06 10:46:09.466074500 tcpserver: status: 2/50 2006-11-06 10:46:13.493163500 tcpserver: end 5276 status 256 2006-11-06 10:46:13.493169500 tcpserver: status: 1/50 2006-11-06 10:46:47.935619500 tcpserver: end 5279 status 256 I do not see any errors in the clamd nor spamd logs. Thanks for the help. Josh On 11/5/06, Eric Shubes [EMAIL PROTECTED] wrote: Also, are you seeing smtp sessions end after 300 or 600 seconds with status 256? Do you see any
Re: [qmailtoaster] Re: Issues with spam causing high load and unresponsive server
I meant to say in my original e-mail that the catchall was set to delete. I set that up again just to be sure. Josh On 11/7/06, Steve Huff [EMAIL PROTECTED] wrote: On Nov 7, 2006, at 1:30 PM, Joshua Zukerman wrote: None of those accounts exist, yet it says found existing recipient ? I don't understand that part. do you have a catchall account defined? look in qmailadmin to find out. you may want to configure your domains to drop (not bounce) messages to any undefined addresses rather then sending them to a catchall. -steve -- If this were played upon a stage now, I could condemn it as an improbable fiction. - Fabian, Twelfth Night, III,v - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] Re: Issues with spam causing high load and unresponsive server
I use a pretty much stock qmailtoaster install. I believe the only customizations were the RBLs and my spamassassin configuration file. Here it is: # How many hits before a message is considered spam. required_score 5.0 # Change the subject of suspected spam rewrite_header subject *SPAM* # Encapsulate spam in an attachment (0=no, 1=yes, 2=safe) report_safe 1 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning bayes_auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 1 # Mail using languages used in these country codes will not be marked # as being possibly spam in a foreign language. # - english ok_languagesen # Mail using locales used in these country codes will not be marked # as being possibly spam in a foreign language. ok_locales en score RCVD_IN_BL_SPAMCOP_NET 4 score RCVD_IN_RELAYS_ORDB_ORG 4 score RCVD_IN_DSBL 4 blacklist_from [addresses here] whitelist_from [addresses here] I still get quite a bit of spam into my inbox, but Thunderbird does a pretty good job of filtering that out. No errors in the spamd logs. Most e-mail scanned by spamassassin and marked as spam says it takes around 0.5 to 3 secs to scan and be marked as spam. It does appear I am seeing status 256 in my smtp log files. Here is a snip: 2006-11-06 10:44:55.701627500 tcpserver: status: 2/50 2006-11-06 10:45:02.256818500 tcpserver: status: 3/50 2006-11-06 10:45:05.314525500 tcpserver: end 5226 status 256 2006-11-06 10:45:05.314531500 tcpserver: status: 2/50 2006-11-06 10:45:11.114846500 tcpserver: end 5228 status 256 2006-11-06 10:45:11.114852500 tcpserver: status: 1/50 2006-11-06 10:45:35.024883500 tcpserver: status: 2/50 2006-11-06 10:45:39.820891500 tcpserver: end 5273 status 256 2006-11-06 10:45:39.820897500 tcpserver: status: 1/50 2006-11-06 10:46:09.466074500 tcpserver: status: 2/50 2006-11-06 10:46:13.493163500 tcpserver: end 5276 status 256 2006-11-06 10:46:13.493169500 tcpserver: status: 1/50 2006-11-06 10:46:47.935619500 tcpserver: end 5279 status 256 I do not see any errors in the clamd nor spamd logs. Thanks for the help. Josh On 11/5/06, Eric Shubes [EMAIL PROTECTED] wrote: Also, are you seeing smtp sessions end after 300 or 600 seconds with status 256? Do you see any errors in the spamd log? Does spamd ever max out the cpu for a period of time? Erik Espinoza wrote: rblsmtpd doesn't take up very many resources. This is probably due to spamassassin or clamav, You may want to look through the logs of the spamassassin and clamav to see if there are any issues that show through. Is this a very stock install or did you enable things, such as SURBL or Pyzor? Any more details about your configuration would be appreciated. Thanks, Erik On 11/5/06, Joshua Zukerman [EMAIL PROTECTED] wrote: I forgot to mention the blacklists I use: -rrelays.ordb.org -rsbl-xbl.spamhaus.org -rbl.spamcop.net -rlist.dsbl.org -rdnsbl.njabl.org -rdun.dnsrbl.net I think these are all working, last time I checked. Could slow dns queries be causing my issues? On 11/5/06, Joshua Zukerman [EMAIL PROTECTED] wrote: Hello list, I run a centos 4.4 final server using qmail-toaster-1.03-1.3.5 from a few months ago. Recently, in the past couple months, I've had intermittent issues where my server becomes unresponsive for a few minutes at a time, several times a day. Unresponsive to the web server it runs, dns queries, mail, ssh etc. I tracked down the problem to random IP addresses opening a bunch of smtp processes and attempting to send spam to my server. I run a four domains and a few e-mail users of a personal nature. Nothing mission critical here. However, it is annoying the server gets pretty much tied up dealing with the spam. I checked my server to make sure it isn't an open relay, which came back clean. I have no auto-responders, nor any catch alls. I edited /var/qmail/control/concurrencyincoming to 50 instead of the 100 and that made no difference. The server is a P4 2.4ghz, with 512mb of ram, couple of drives in a Raid1 configuration, on a shared T1 line. I don't use much bandwidth, however the bandwidth is there if I need it. So I do not think this is an issue with internet connectivity. I can always ping the server remotely and all responses come back properly. I checked the smtp logs, and see random IP addresses trying to send mail to my server. No one IP address repeatedly trying to connect, so blocking IP addresses was a futile effort. I do use the blacklists and that helps somewhat. I also have spamassassin installed which helps a bit with the spam e-mails. Most of the spam e-mails are directed to non-existent e-mail accounts. Is there anything I can do to limit the amount of connections one ip address is allowed to open
Re: [qmailtoaster] Re: Issues with spam causing high load and unresponsive server
Well, I can post what qmailtoaster mrtg is curently showing: concurrency: http://i13.tinypic.com/436j4uf.png messages: http://i13.tinypic.com/2cr0hz8.png smtp: http://i14.tinypic.com/40mbodi.png smtp allow/deny: http://i13.tinypic.com/2yw7olx.png spamd: http://i13.tinypic.com/2eocutk.png On 11/6/06, Eric Shubes [EMAIL PROTECTED] wrote: Like I said, I don't know mrtg, but what makes you doubt its accuracy? Joshua Zukerman wrote: MRTG (on the network interface) sometimes shows some peaks of traffic, like 300kbit, nothing too serious. qmailmrtg notes quite a bunch of smtp connections but I think it isn't too accurate. On 11/6/06, Eric Shubes [EMAIL PROTECTED] wrote: That looks/sounds ok to me. Is your network connection jammed when you have these unresponsive episodes? I'm not familiar with the the mrtg data, but do you see anything there that coincides with the episodes? Joshua Zukerman wrote: I use a pretty much stock qmailtoaster install. I believe the only customizations were the RBLs and my spamassassin configuration file. Here it is: # How many hits before a message is considered spam. required_score 5.0 # Change the subject of suspected spam rewrite_header subject *SPAM* # Encapsulate spam in an attachment (0=no, 1=yes, 2=safe) report_safe 1 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning bayes_auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 1 # Mail using languages used in these country codes will not be marked # as being possibly spam in a foreign language. # - english ok_languagesen # Mail using locales used in these country codes will not be marked # as being possibly spam in a foreign language. ok_locales en score RCVD_IN_BL_SPAMCOP_NET 4 score RCVD_IN_RELAYS_ORDB_ORG 4 score RCVD_IN_DSBL 4 blacklist_from [addresses here] whitelist_from [addresses here] I still get quite a bit of spam into my inbox, but Thunderbird does a pretty good job of filtering that out. No errors in the spamd logs. Most e-mail scanned by spamassassin and marked as spam says it takes around 0.5 to 3 secs to scan and be marked as spam. It does appear I am seeing status 256 in my smtp log files. Here is a snip: 2006-11-06 10:44:55.701627500 tcpserver: status: 2/50 2006-11-06 10:45:02.256818500 tcpserver: status: 3/50 2006-11-06 10:45:05.314525500 tcpserver: end 5226 status 256 2006-11-06 10:45:05.314531500 tcpserver: status: 2/50 2006-11-06 10:45:11.114846500 tcpserver: end 5228 status 256 2006-11-06 10:45:11.114852500 tcpserver: status: 1/50 2006-11-06 10:45:35.024883500 tcpserver: status: 2/50 2006-11-06 10:45:39.820891500 tcpserver: end 5273 status 256 2006-11-06 10:45:39.820897500 tcpserver: status: 1/50 2006-11-06 10:46:09.466074500 tcpserver: status: 2/50 2006-11-06 10:46:13.493163500 tcpserver: end 5276 status 256 2006-11-06 10:46:13.493169500 tcpserver: status: 1/50 2006-11-06 10:46:47.935619500 tcpserver: end 5279 status 256 I do not see any errors in the clamd nor spamd logs. Thanks for the help. Josh On 11/5/06, Eric Shubes [EMAIL PROTECTED] wrote: Also, are you seeing smtp sessions end after 300 or 600 seconds with status 256? Do you see any errors in the spamd log? Does spamd ever max out the cpu for a period of time? Erik Espinoza wrote: rblsmtpd doesn't take up very many resources. This is probably due to spamassassin or clamav, You may want to look through the logs of the spamassassin and clamav to see if there are any issues that show through. Is this a very stock install or did you enable things, such as SURBL or Pyzor? Any more details about your configuration would be appreciated. Thanks, Erik On 11/5/06, Joshua Zukerman [EMAIL PROTECTED] wrote: I forgot to mention the blacklists I use: -rrelays.ordb.org -rsbl-xbl.spamhaus.org -rbl.spamcop.net -rlist.dsbl.org -rdnsbl.njabl.org -rdun.dnsrbl.net I think these are all working, last time I checked. Could slow dns queries be causing my issues? On 11/5/06, Joshua Zukerman [EMAIL PROTECTED] wrote: Hello list, I run a centos 4.4 final server using qmail-toaster-1.03-1.3.5 from a few months ago. Recently, in the past couple months, I've had intermittent issues where my server becomes unresponsive for a few minutes at a time, several times a day. Unresponsive to the web server it runs, dns queries, mail, ssh etc. I tracked down the problem to random IP addresses opening a bunch of smtp processes and attempting to send spam to my server. I run a four domains and a few e-mail users of a personal nature. Nothing mission critical here. However, it is annoying
[qmailtoaster] Issues with spam causing high load and unresponsive server
Hello list, I run a centos 4.4 final server using qmail-toaster-1.03-1.3.5 from a few months ago. Recently, in the past couple months, I've had intermittent issues where my server becomes unresponsive for a few minutes at a time, several times a day. Unresponsive to the web server it runs, dns queries, mail, ssh etc. I tracked down the problem to random IP addresses opening a bunch of smtp processes and attempting to send spam to my server. I run a four domains and a few e-mail users of a personal nature. Nothing mission critical here. However, it is annoying the server gets pretty much tied up dealing with the spam. I checked my server to make sure it isn't an open relay, which came back clean. I have no auto-responders, nor any catch alls. I edited /var/qmail/control/concurrencyincoming to 50 instead of the 100 and that made no difference. The server is a P4 2.4ghz, with 512mb of ram, couple of drives in a Raid1 configuration, on a shared T1 line. I don't use much bandwidth, however the bandwidth is there if I need it. So I do not think this is an issue with internet connectivity. I can always ping the server remotely and all responses come back properly. I checked the smtp logs, and see random IP addresses trying to send mail to my server. No one IP address repeatedly trying to connect, so blocking IP addresses was a futile effort. I do use the blacklists and that helps somewhat. I also have spamassassin installed which helps a bit with the spam e-mails. Most of the spam e-mails are directed to non-existent e-mail accounts. Is there anything I can do to limit the amount of connections one ip address is allowed to open at one time? Or something else I can do to not make my server so unresponsive? - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[qmailtoaster] Re: Issues with spam causing high load and unresponsive server
I forgot to mention the blacklists I use: -rrelays.ordb.org -rsbl-xbl.spamhaus.org -rbl.spamcop.net -rlist.dsbl.org -rdnsbl.njabl.org -rdun.dnsrbl.net I think these are all working, last time I checked. Could slow dns queries be causing my issues? On 11/5/06, Joshua Zukerman [EMAIL PROTECTED] wrote: Hello list, I run a centos 4.4 final server using qmail-toaster-1.03-1.3.5 from a few months ago. Recently, in the past couple months, I've had intermittent issues where my server becomes unresponsive for a few minutes at a time, several times a day. Unresponsive to the web server it runs, dns queries, mail, ssh etc. I tracked down the problem to random IP addresses opening a bunch of smtp processes and attempting to send spam to my server. I run a four domains and a few e-mail users of a personal nature. Nothing mission critical here. However, it is annoying the server gets pretty much tied up dealing with the spam. I checked my server to make sure it isn't an open relay, which came back clean. I have no auto-responders, nor any catch alls. I edited /var/qmail/control/concurrencyincoming to 50 instead of the 100 and that made no difference. The server is a P4 2.4ghz, with 512mb of ram, couple of drives in a Raid1 configuration, on a shared T1 line. I don't use much bandwidth, however the bandwidth is there if I need it. So I do not think this is an issue with internet connectivity. I can always ping the server remotely and all responses come back properly. I checked the smtp logs, and see random IP addresses trying to send mail to my server. No one IP address repeatedly trying to connect, so blocking IP addresses was a futile effort. I do use the blacklists and that helps somewhat. I also have spamassassin installed which helps a bit with the spam e-mails. Most of the spam e-mails are directed to non-existent e-mail accounts. Is there anything I can do to limit the amount of connections one ip address is allowed to open at one time? Or something else I can do to not make my server so unresponsive? - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] Re: UNOFFICIAL: QmailToaster VMware Appliance
Dugg. On 3/22/06, Erik Espinoza [EMAIL PROTECTED] wrote: Hey Guys, In an effort to spread the word about the QmailToaster out, I have submitted the release of the Virtual Appliance to Digg. Feel free to digg it, or add comments if you would like. Thanks, Erik http://digg.com/linux_unix/Test_the_QmailToaster_VMware_Virtual_Appliance On 3/21/06, Erik Espinoza [EMAIL PROTECTED] wrote: Greetings, The QmailToaster VMware Virtual Appliance is now available. Since this is a pretty big release, I have made it available by BitTorrent only. Please seed if you can. The torrent is available at my usual page: http://www.kabewm.com/pages/projects/qmailtoaster.php RELEASE NOTES BASICS In order to be compliant with the djb license, this ships without the QmailToaster installed. I have included a script that will configure the system for a static IP and download/compile/install QmailToaster. This is a basic CentOS 4.3 x86 install. The installation only has what is required for the QmailToaster distribution. No frills, no X, etc. This system has been preconfigured in just about every respect. The VMware Image is configured without disks or cdroms. In addition it has a virtual hard disk that can grow to 40 gigs. The default setting is 256 mb of ram. SECURITY It is recommended that you do the following, at the very minimum, for security: 1) Change the root password, currently it is set to 'password' 2) In '/etc/ssh/sshd_config' set PermitRootLogin no 3) Set a mysql root password, currently there is none. You may also want to change the password to vpopmail database, which uses the default qmailtoaster password of 'SsEeCcRrEeTt'. NETWORKING Have the following information ready upon first boot: Hostname, Domain Name, IP Address, Subnet, Gateway, and DNS Server By default this is set to 'bridged' networking. This means that your VMware Appliance will be on the same network as the machine it is running on. Upon booting you will have to enter the information above through prompts. If you make a mistake use the backspace and/or leave a prompt blank and reboot. This script will not execute once it is run from beginning to end. *NOTE: Because the networking is set to bridged the VMware Appliance will put forth a virtual mac address. This means that if you are testing this as a demo over wireless, you MUST add the virtual mac address to the allowed list. UP AND RUNNING Please refer to the http://www.qmailtoaster.com/info/EZ-QmailToaster-Install.txt starting with section 9 after the system has rebooted with the QmailToaster installed. By default this VMware Appliance will run yum nightly, so it is recommended that you run it as soon as the install is complete. Thanks, Erik A. Espinoza - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]