OK, lets all step by step...
1. Begin
My server has netqmail-1.05 and spamdyke-3.1.2 installed and works
fine many times. I try to send mail at Thursday evening and see answer
- Please talk faster... I check by means top and see that server has
three spamdyke process that take about 100% of CPU time. I kill them
and send my mail. Two hours after I see another hanged spamdyke. When I
check all spamdyke processes, I see one very old process, some working
and one hanged. I kill old and hanged and upgrade spamdyke to 3.1.5.
2. With this version I have the same behavior - first called spamdyke
stay resident and as result I have many messages in daily report about
no users for registered user (I think so).
3. Logs and configs:
mail root]# ps aux | grep spamdyke
vpopmail 16541 0.0 0.0 1584 492 ? S Jan25 0:02
/usr/local/bin/tcpserver -v -R -l devnew.ntrlab.ru
-x /etc/tcp.rules/smtp.cdb -c 300 -n 40 -i 20 -u 89 -g 89 0 smtp
/var/qmail/bin/spamdyke -f /var/qmail/control/spamdyke.conf
--smtp-auth-command /usr/local/vpopmail/bin/vchkpw /bin/true
/var/qmail/bin/qmail
root 16234 0.0 0.0 3696 668 pts/3 S 12:54 0:00 grep spamdyke
--- Current date is Jan 26 and server don't have many incoming mails --
Time of call for this process - 18:06
PS command don't show all command line content, Real calling script is:
exec /usr/local/sbin/softlimit -m 46428800 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.rules/smtp.cdb \
-c "$MAXSMTPD" -n 40 -i 20 -u "$VPOPMAILUID" -g "$VPOPMAILGID" 0 smtp \
/var/qmail/bin/spamdyke -f /var/qmail/control/spamdyke.conf \
--smtp-auth-command "/usr/local/vpopmail/bin/vchkpw /bin/true" \
/var/qmail/bin/qmail-smtpd /usr/local/vpopmail/bin/vchkpw /bin/true 2>&1
spamdyke.conf:
log-level=3
local-domains-file=/var/qmail/control/rcpthosts
max-recipients=5
idle-timeout-secs=180
graylist-dir=/var/qmail/control/gr/graylist
graylist-min-secs=300
graylist-max-secs=1814400
no-graylist-dir=/var/qmail/control/gr/no_graylist
sender-blacklist-file=/var/qmail/control/gr/blacklist_senders
recipient-blacklist-file=/var/qmail/control/gr/blacklist_recipients
recipient-whitelist-file=/var/qmail/control/gr/whitelist_recipients
ip-in-rdns-keyword-file=/var/qmail/control/gr/blacklist_keywords
ip-blacklist-file=/var/qmail/control/gr/blacklist_ip
rdns-blacklist-dir=/var/qmail/control/gr/blacklist_rdns.d
reject-empty-rdns
reject-unresolvable-rdns
reject-ip-in-cc-rdns
rdns-whitelist-file=/var/qmail/control/gr/whitelist_rdns
ip-whitelist-file=/var/qmail/control/gr/whitelist_ip
greeting-delay-secs=5
check-dnsrbl=zombie.dnsbl.sorbs.net
check-dnsrbl=dul.dnsbl.sorbs.net
check-dnsrbl=bogons.cymru.com
reject-missing-sender-mx
tls-certificate-file=/var/qmail/control/servercert.pem
Log for time of hang:
maillog -
Jan 25 18:05:38 localhost spamdyke[16496]: ALLOWED from:
[EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip:
87.237.64.15 origin_rdns: 15-64.ggs.hns.net auth: (unknown)
Jan 25 18:05:54 localhost spamdyke[16516]: ALLOWED from:
[EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip :
89.253.195.242 origin_rdns: hoster.1c.ru auth: (unknown)
Jan 25 18:05:56 localhost spamdyke[16488]: DENIED_BLACKLIST_NAME from:
[EMAIL PROTECTED] to: [EMAIL PROTECTED] or igin_ip: 125.26.38.60
origin_rdns: 125-26-38-60.adsl.totbb.net auth: (unknown)
Jan 25 18:06:09 localhost spamdyke[16470]: TIMEOUT from:
[EMAIL PROTECTED] to: (unknown) origin_ip: 86.4.1.52 origin _rdns:
cpc3-runc1-0-0-cust307.bagu.cable.ntl.com auth: (unknown) reason:
DENIED_BLACKLIST_NAME
Jan 25 18:06:14 localhost spamdyke[16472]:
TIMEOUT from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip:
71. 191.159.74 origin_rdns: pool-71-191-159-74.washdc.fios.verizon.net
auth: (unknown) reason: (unknown)
Jan 25 18:06:25 localhost spamdyke [16538]: DENIED_RDNS_MISSING from:
[EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip:
216.191.135.102 origin_rdns: (unknown) auth: (unknown)
Jan 25 18:06:25 localhost spamdyke[16538]: DENIED_RDNS_MISSING from:
[EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip:
216.191.135.102 origin_rdns: (unknown) auth: (unknown)
Jan 25 18:06:43 localhost spamdyke [16554]: DENIED_RDNS_MISSING from:
[EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip:
216.191.135.102 origin_rdns: (unknown) auth: (unknown)
Jan 25 18:06:43 localhost spamdyke[16554]: DENIED_RDNS_MISSING from:
[EMAIL PROTECTED] to: [EMAIL PROTECTED] rlab.ru origin_ip:
216.191.135.102 origin_rdns: (unknown) auth: (unknown)
Jan 25 18:06:44 localhost spamdyke[16559]: ERROR: unable to write 47
bytes to file descriptor 1: Connection reset by peer
Jan 25 18:06:52 localhost spamdyke[16558]: DENIED_RDNS_RESOLVE from:
[EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 79.134.0.9 origin_rdns:
pan2loc-ttk.mgn.ru auth: (unknown)
Suspicious string is "Jan 25 18:06:14 localhost spamdyke[16472]:"
In a syslog I see the same strings + vpopmail imaps logins
There is no errors in this log level.
OK, I change log-level to 5 and kill currently resident process -
immediately I have another! And there isn't any messages in logs...
mail root]# ps aux | grep spamdyke
vpopmail 17530 0.0 0.0 1584 492 ? S 13:35 0:00
/usr/local/bin/tcpserver -v -R -l devnew.ntrlab.ru
-x /etc/tcp.rules/smtp.cdb -c 300 -n 40 -i 20 -u 89 -g 89 0
smtp /var/qmail/bin/spamdyke -f /var/qmail/control/spamdyke.conf
--smtp-auth-command /usr/local/vpopmail/bin/vchkpw /bin/true
/var/qmail/bin/qmail
root 17614 0.0 0.0 3688 668 pts/3 S 13:39 0:00 grep spamdyke
What can I say more?
There isn't any hang processes who eat process time, but who can
guarantee that all will be so fine in a future???
On Fri, 25 Jan 2008 17:56:48 -0600
Sam Clippinger <[EMAIL PROTECTED]> wrote:
> I'm not sure I understand the problem or the strace output. You're
> seeing a single spamdyke process remain running and never exit? I
> need more information before I can help. Are you using the latest
> version of spamdyke? How much CPU is it using? Are you seeing any
> errors in your log files? Can you send a full log of a message that
> causes this behavior? Can you send your spamdyke configuration file?
>
> -- Sam Clippinger
>
> N.Novozhilov wrote:
> >>From yesterday I discover very strange behavior of spamdyke, all
> >>time
> > before all was good:
> >
> > First running copy stay resident and listen network. Short log:
> >
> > host# strace -p 12787 -e trace=network
> > Process 12787 attached - interrupt to quit
> > accept(3, 0xbfffc050, [16]) = ? ERESTARTSYS (To be
> > restarted)
> > --- SIGCHLD (Child exited) @ 0 (0) ---
> > accept(3, {sa_family=AF_INET, sin_port=htons(4430),
> > sin_addr=inet_addr ("88.229.222.135")}, [16]) = 0 accept(3,
> > {sa_family=AF_INET, sin_port=htons(3953), sin_addr=inet_addr
> > ("83.166.219.102")}, [16]) = 0
> >
> > accept(3, {sa_family=AF_INET, sin_port=htons(2396),
> > sin_addr=inet_addr ("189.0.199.23")}, [16]) = 0 accept(3,
> > {sa_family=AF_INET, sin_port=htons(13776), sin_addr=inet_addr
> > ("122.164.34.160")}, [16]) = 0
> >
> > accept(3, 0xbfffc050, [16]) = ? ERESTARTSYS (To be
> > restarted)
> > --- SIGCHLD (Child exited) @ 0 (0) ---
> >
> > accept(3, 0xbfffc050, [16]) = ? ERESTARTSYS (To be
> > restarted)
> > --- SIGCHLD (Child exited) @ 0 (0) ---
> >
> > accept(3, 0xbfffc050, [16]) = ? ERESTARTSYS (To be
> > restarted)
> > --- SIGCHLD (Child exited) @ 0 (0) ---
> >
> > accept(3, {sa_family=AF_INET, sin_port=htons(58206),
> > sin_addr=inet_addr ("123.248.102.135")}, [16]) = 0 accept(3,
> > 0xbfffc050, [16]) = ? ERESTARTSYS (To be restarted)
> > --- SIGCHLD (Child exited) @ 0 (0) ---
> >
> > accept(3, {sa_family=AF_INET, sin_port=htons(2693),
> > sin_addr=inet_addr ("85.104.38.223")}, [16]) = 0 accept(3,
> > 0xbfffc050, [16]) = ? ERESTARTSYS (To be restarted)
> > --- SIGCHLD (Child exited) @ 0 (0) ---
> >
> > accept(3, {sa_family=AF_INET, sin_port=htons(4269),
> > sin_addr=inet_addr ("83.166.219.102")}, [16]) = 0 accept(3,
> > {sa_family=AF_INET, sin_port=htons(2788), sin_addr=inet_addr
> > ("85.104.38.223")}, [16]) = 0 accept(3, 0xbfffc050,
> > [16]) = ? ERESTARTSYS (To be restarted)
> > --- SIGCHLD (Child exited) @ 0 (0) ---
> >
> > accept(3, 0xbfffc050, [16]) = ? ERESTARTSYS (To be
> > restarted)
> > --- SIGCHLD (Child exited) @ 0 (0) ---
> >
> > accept(3, {sa_family=AF_INET, sin_port=htons(2852),
> > sin_addr=inet_addr ("85.104.38.223")}, [16]) = 0 accept(3,
> > {sa_family=AF_INET, sin_port=htons(4547), sin_addr=inet_addr
> > ("83.166.219.102")}, [16]) = 0 accept(3, 0xbfffc050,
> > [16]) = ? ERESTARTSYS (To be restarted)
> > --- SIGCHLD (Child exited) @ 0 (0) ---
> >
> > accept(3, 0xbfffc050, [16]) = ? ERESTARTSYS (To be
> > restarted)
> > --- SIGCHLD (Child exited) @ 0 (0) ---
> > accept(3, {sa_family=AF_INET, sin_port=htons(2894),
> > sin_addr=inet_addr ("85.104.38.223")}, [16]) = 0 accept(3,
> > {sa_family=AF_INET, sin_port=htons(1268), sin_addr=inet_addr
> > ("200.88.97.100")}, [16]) = 0 accept(3, {sa_family=AF_INET,
> > sin_port=htons(1269), sin_addr=inet_addr ("200.88.97.100")}, [16])
> > = 0
> >
> > and so on...
> >
> > What is it - some bug in configuration of qmail (I didn't change
> > anything in a work spamdyke conf) or new hacker attack?
> >
> > P.S. I'm sorry about previous mail - I didn't wait for full stop of
> > all smtp processes.
> >
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Regards
> > Nicholas A. Novozhilov, NAN6-RIPE
> >
> > NTR Lab
> > System administrator
> > _______________________________________________
> > spamdyke-users mailing list
> > [email protected]
> > http://www.spamdyke.org/mailman/listinfo/spamdyke-users
> _______________________________________________
> spamdyke-users mailing list
> [email protected]
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Regards
Nicholas A. Novozhilov, NAN6-RIPE
NTR Lab
System administrator
_______________________________________________
spamdyke-users mailing list
[email protected]
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
