The process you're seeing is not spamdyke. It is tcpserver -- the
daemon that listens for incoming SMTP connections. It always stays
running because otherwise your mail sever would not accept mail from the
internet.
This is normal.
-- Sam Clippinger
N.Novozhilov wrote:
> OK, lets all step by step...
>
> 1. Begin
> My server has netqmail-1.05 and spamdyke-3.1.2 installed and works
> fine many times. I try to send mail at Thursday evening and see answer
> - Please talk faster... I check by means top and see that server has
> three spamdyke process that take about 100% of CPU time. I kill them
> and send my mail. Two hours after I see another hanged spamdyke. When I
> check all spamdyke processes, I see one very old process, some working
> and one hanged. I kill old and hanged and upgrade spamdyke to 3.1.5.
> 2. With this version I have the same behavior - first called spamdyke
> stay resident and as result I have many messages in daily report about
> no users for registered user (I think so).
> 3. Logs and configs:
>
> mail root]# ps aux | grep spamdyke
> vpopmail 16541 0.0 0.0 1584 492 ? S Jan25 0:02
> /usr/local/bin/tcpserver -v -R -l devnew.ntrlab.ru
> -x /etc/tcp.rules/smtp.cdb -c 300 -n 40 -i 20 -u 89 -g 89 0 smtp
> /var/qmail/bin/spamdyke -f /var/qmail/control/spamdyke.conf
> --smtp-auth-command /usr/local/vpopmail/bin/vchkpw /bin/true
> /var/qmail/bin/qmail
> root 16234 0.0 0.0 3696 668 pts/3 S 12:54 0:00 grep spamdyke
>
> --- Current date is Jan 26 and server don't have many incoming mails --
> Time of call for this process - 18:06
> PS command don't show all command line content, Real calling script is:
>
> exec /usr/local/sbin/softlimit -m 46428800 \
> /usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.rules/smtp.cdb \
> -c "$MAXSMTPD" -n 40 -i 20 -u "$VPOPMAILUID" -g "$VPOPMAILGID" 0 smtp \
> /var/qmail/bin/spamdyke -f /var/qmail/control/spamdyke.conf \
> --smtp-auth-command "/usr/local/vpopmail/bin/vchkpw /bin/true" \
> /var/qmail/bin/qmail-smtpd /usr/local/vpopmail/bin/vchkpw /bin/true 2>&1
>
> spamdyke.conf:
>
> log-level=3
> local-domains-file=/var/qmail/control/rcpthosts
> max-recipients=5
> idle-timeout-secs=180
> graylist-dir=/var/qmail/control/gr/graylist
> graylist-min-secs=300
> graylist-max-secs=1814400
> no-graylist-dir=/var/qmail/control/gr/no_graylist
> sender-blacklist-file=/var/qmail/control/gr/blacklist_senders
> recipient-blacklist-file=/var/qmail/control/gr/blacklist_recipients
> recipient-whitelist-file=/var/qmail/control/gr/whitelist_recipients
> ip-in-rdns-keyword-file=/var/qmail/control/gr/blacklist_keywords
> ip-blacklist-file=/var/qmail/control/gr/blacklist_ip
> rdns-blacklist-dir=/var/qmail/control/gr/blacklist_rdns.d
> reject-empty-rdns
> reject-unresolvable-rdns
> reject-ip-in-cc-rdns
> rdns-whitelist-file=/var/qmail/control/gr/whitelist_rdns
> ip-whitelist-file=/var/qmail/control/gr/whitelist_ip
> greeting-delay-secs=5
> check-dnsrbl=zombie.dnsbl.sorbs.net
> check-dnsrbl=dul.dnsbl.sorbs.net
> check-dnsrbl=bogons.cymru.com
> reject-missing-sender-mx
> tls-certificate-file=/var/qmail/control/servercert.pem
>
> Log for time of hang:
>
> maillog -
>
> Jan 25 18:05:38 localhost spamdyke[16496]: ALLOWED from:
> [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip:
> 87.237.64.15 origin_rdns: 15-64.ggs.hns.net auth: (unknown)
> Jan 25 18:05:54 localhost spamdyke[16516]: ALLOWED from:
> [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip :
> 89.253.195.242 origin_rdns: hoster.1c.ru auth: (unknown)
> Jan 25 18:05:56 localhost spamdyke[16488]: DENIED_BLACKLIST_NAME from:
> [EMAIL PROTECTED] to: [EMAIL PROTECTED] or igin_ip: 125.26.38.60
> origin_rdns: 125-26-38-60.adsl.totbb.net auth: (unknown)
> Jan 25 18:06:09 localhost spamdyke[16470]: TIMEOUT from:
> [EMAIL PROTECTED] to: (unknown) origin_ip: 86.4.1.52 origin _rdns:
> cpc3-runc1-0-0-cust307.bagu.cable.ntl.com auth: (unknown) reason:
> DENIED_BLACKLIST_NAME
> Jan 25 18:06:14 localhost spamdyke[16472]:
> TIMEOUT from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip:
> 71. 191.159.74 origin_rdns: pool-71-191-159-74.washdc.fios.verizon.net
> auth: (unknown) reason: (unknown)
> Jan 25 18:06:25 localhost spamdyke [16538]: DENIED_RDNS_MISSING from:
> [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip:
> 216.191.135.102 origin_rdns: (unknown) auth: (unknown)
> Jan 25 18:06:25 localhost spamdyke[16538]: DENIED_RDNS_MISSING from:
> [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip:
> 216.191.135.102 origin_rdns: (unknown) auth: (unknown)
> Jan 25 18:06:43 localhost spamdyke [16554]: DENIED_RDNS_MISSING from:
> [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip:
> 216.191.135.102 origin_rdns: (unknown) auth: (unknown)
> Jan 25 18:06:43 localhost spamdyke[16554]: DENIED_RDNS_MISSING from:
> [EMAIL PROTECTED] to: [EMAIL PROTECTED] rlab.ru origin_ip:
> 216.191.135.102 origin_rdns: (unknown) auth: (unknown)
> Jan 25 18:06:44 localhost spamdyke[16559]: ERROR: unable to write 47
> bytes to file descriptor 1: Connection reset by peer
> Jan 25 18:06:52 localhost spamdyke[16558]: DENIED_RDNS_RESOLVE from:
> [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 79.134.0.9 origin_rdns:
> pan2loc-ttk.mgn.ru auth: (unknown)
>
> Suspicious string is "Jan 25 18:06:14 localhost spamdyke[16472]:"
>
> In a syslog I see the same strings + vpopmail imaps logins
> There is no errors in this log level.
>
> OK, I change log-level to 5 and kill currently resident process -
> immediately I have another! And there isn't any messages in logs...
>
> mail root]# ps aux | grep spamdyke
> vpopmail 17530 0.0 0.0 1584 492 ? S 13:35 0:00
> /usr/local/bin/tcpserver -v -R -l devnew.ntrlab.ru
> -x /etc/tcp.rules/smtp.cdb -c 300 -n 40 -i 20 -u 89 -g 89 0
> smtp /var/qmail/bin/spamdyke -f /var/qmail/control/spamdyke.conf
> --smtp-auth-command /usr/local/vpopmail/bin/vchkpw /bin/true
> /var/qmail/bin/qmail
> root 17614 0.0 0.0 3688 668 pts/3 S 13:39 0:00 grep spamdyke
>
> What can I say more?
> There isn't any hang processes who eat process time, but who can
> guarantee that all will be so fine in a future???
>
>
> On Fri, 25 Jan 2008 17:56:48 -0600
> Sam Clippinger <[EMAIL PROTECTED]> wrote:
>
>> I'm not sure I understand the problem or the strace output. You're
>> seeing a single spamdyke process remain running and never exit? I
>> need more information before I can help. Are you using the latest
>> version of spamdyke? How much CPU is it using? Are you seeing any
>> errors in your log files? Can you send a full log of a message that
>> causes this behavior? Can you send your spamdyke configuration file?
>>
>> -- Sam Clippinger
>>
>> N.Novozhilov wrote:
>>> >From yesterday I discover very strange behavior of spamdyke, all
>>>> time
>>> before all was good:
>>>
>>> First running copy stay resident and listen network. Short log:
>>>
>>> host# strace -p 12787 -e trace=network
>>> Process 12787 attached - interrupt to quit
>>> accept(3, 0xbfffc050, [16]) = ? ERESTARTSYS (To be
>>> restarted)
>>> --- SIGCHLD (Child exited) @ 0 (0) ---
>>> accept(3, {sa_family=AF_INET, sin_port=htons(4430),
>>> sin_addr=inet_addr ("88.229.222.135")}, [16]) = 0 accept(3,
>>> {sa_family=AF_INET, sin_port=htons(3953), sin_addr=inet_addr
>>> ("83.166.219.102")}, [16]) = 0
>>>
>>> accept(3, {sa_family=AF_INET, sin_port=htons(2396),
>>> sin_addr=inet_addr ("189.0.199.23")}, [16]) = 0 accept(3,
>>> {sa_family=AF_INET, sin_port=htons(13776), sin_addr=inet_addr
>>> ("122.164.34.160")}, [16]) = 0
>>>
>>> accept(3, 0xbfffc050, [16]) = ? ERESTARTSYS (To be
>>> restarted)
>>> --- SIGCHLD (Child exited) @ 0 (0) ---
>>>
>>> accept(3, 0xbfffc050, [16]) = ? ERESTARTSYS (To be
>>> restarted)
>>> --- SIGCHLD (Child exited) @ 0 (0) ---
>>>
>>> accept(3, 0xbfffc050, [16]) = ? ERESTARTSYS (To be
>>> restarted)
>>> --- SIGCHLD (Child exited) @ 0 (0) ---
>>>
>>> accept(3, {sa_family=AF_INET, sin_port=htons(58206),
>>> sin_addr=inet_addr ("123.248.102.135")}, [16]) = 0 accept(3,
>>> 0xbfffc050, [16]) = ? ERESTARTSYS (To be restarted)
>>> --- SIGCHLD (Child exited) @ 0 (0) ---
>>>
>>> accept(3, {sa_family=AF_INET, sin_port=htons(2693),
>>> sin_addr=inet_addr ("85.104.38.223")}, [16]) = 0 accept(3,
>>> 0xbfffc050, [16]) = ? ERESTARTSYS (To be restarted)
>>> --- SIGCHLD (Child exited) @ 0 (0) ---
>>>
>>> accept(3, {sa_family=AF_INET, sin_port=htons(4269),
>>> sin_addr=inet_addr ("83.166.219.102")}, [16]) = 0 accept(3,
>>> {sa_family=AF_INET, sin_port=htons(2788), sin_addr=inet_addr
>>> ("85.104.38.223")}, [16]) = 0 accept(3, 0xbfffc050,
>>> [16]) = ? ERESTARTSYS (To be restarted)
>>> --- SIGCHLD (Child exited) @ 0 (0) ---
>>>
>>> accept(3, 0xbfffc050, [16]) = ? ERESTARTSYS (To be
>>> restarted)
>>> --- SIGCHLD (Child exited) @ 0 (0) ---
>>>
>>> accept(3, {sa_family=AF_INET, sin_port=htons(2852),
>>> sin_addr=inet_addr ("85.104.38.223")}, [16]) = 0 accept(3,
>>> {sa_family=AF_INET, sin_port=htons(4547), sin_addr=inet_addr
>>> ("83.166.219.102")}, [16]) = 0 accept(3, 0xbfffc050,
>>> [16]) = ? ERESTARTSYS (To be restarted)
>>> --- SIGCHLD (Child exited) @ 0 (0) ---
>>>
>>> accept(3, 0xbfffc050, [16]) = ? ERESTARTSYS (To be
>>> restarted)
>>> --- SIGCHLD (Child exited) @ 0 (0) ---
>>> accept(3, {sa_family=AF_INET, sin_port=htons(2894),
>>> sin_addr=inet_addr ("85.104.38.223")}, [16]) = 0 accept(3,
>>> {sa_family=AF_INET, sin_port=htons(1268), sin_addr=inet_addr
>>> ("200.88.97.100")}, [16]) = 0 accept(3, {sa_family=AF_INET,
>>> sin_port=htons(1269), sin_addr=inet_addr ("200.88.97.100")}, [16])
>>> = 0
>>>
>>> and so on...
>>>
>>> What is it - some bug in configuration of qmail (I didn't change
>>> anything in a work spamdyke conf) or new hacker attack?
>>>
>>> P.S. I'm sorry about previous mail - I didn't wait for full stop of
>>> all smtp processes.
>>>
>>>
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> Regards
>>> Nicholas A. Novozhilov, NAN6-RIPE
>>>
>>> NTR Lab
>>> System administrator
>>> _______________________________________________
>>> spamdyke-users mailing list
>>> [email protected]
>>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
>> _______________________________________________
>> spamdyke-users mailing list
>> [email protected]
>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Regards
> Nicholas A. Novozhilov, NAN6-RIPE
>
> NTR Lab
> System administrator
> _______________________________________________
> spamdyke-users mailing list
> [email protected]
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________
spamdyke-users mailing list
[email protected]
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
