Thanks for open my eyes! I was groggy in last weekend with my other
servers.... :)
On Sat, 26 Jan 2008 13:25:53 -0600
Sam Clippinger <[EMAIL PROTECTED]> wrote:
> The process you're seeing is not spamdyke. It is tcpserver -- the
> daemon that listens for incoming SMTP connections. It always stays
> running because otherwise your mail sever would not accept mail from
> the internet.
>
> This is normal.
>
> -- Sam Clippinger
>
> N.Novozhilov wrote:
> > OK, lets all step by step...
> >
> > 1. Begin
> > My server has netqmail-1.05 and spamdyke-3.1.2 installed and works
> > fine many times. I try to send mail at Thursday evening and see
> > answer
> > - Please talk faster... I check by means top and see that server has
> > three spamdyke process that take about 100% of CPU time. I kill them
> > and send my mail. Two hours after I see another hanged spamdyke.
> > When I check all spamdyke processes, I see one very old process,
> > some working and one hanged. I kill old and hanged and upgrade
> > spamdyke to 3.1.5.
> > 2. With this version I have the same behavior - first called
> > spamdyke stay resident and as result I have many messages in daily
> > report about no users for registered user (I think so).
> > 3. Logs and configs:
> >
> > mail root]# ps aux | grep spamdyke
> > vpopmail 16541 0.0 0.0 1584 492 ? S Jan25 0:02
> > /usr/local/bin/tcpserver -v -R -l devnew.ntrlab.ru
> > -x /etc/tcp.rules/smtp.cdb -c 300 -n 40 -i 20 -u 89 -g 89 0 smtp
> > /var/qmail/bin/spamdyke -f /var/qmail/control/spamdyke.conf
> > --smtp-auth-command /usr/local/vpopmail/bin/vchkpw /bin/true
> > /var/qmail/bin/qmail
> > root 16234 0.0 0.0 3696 668 pts/3 S 12:54 0:00 grep spamdyke
> >
> > --- Current date is Jan 26 and server don't have many incoming
> > mails -- Time of call for this process - 18:06
> > PS command don't show all command line content, Real calling script
> > is:
> >
> > exec /usr/local/sbin/softlimit -m 46428800 \
> > /usr/local/bin/tcpserver -v -R -l "$LOCAL"
> > -x /etc/tcp.rules/smtp.cdb \ -c "$MAXSMTPD" -n 40 -i 20 -u
> > "$VPOPMAILUID" -g "$VPOPMAILGID" 0 smtp \ /var/qmail/bin/spamdyke
> > -f /var/qmail/control/spamdyke.conf \
> > --smtp-auth-command "/usr/local/vpopmail/bin/vchkpw /bin/true" \
> > /var/qmail/bin/qmail-smtpd /usr/local/vpopmail/bin/vchkpw /bin/true
> > 2>&1
> >
> > spamdyke.conf:
> >
> > log-level=3
> > local-domains-file=/var/qmail/control/rcpthosts
> > max-recipients=5
> > idle-timeout-secs=180
> > graylist-dir=/var/qmail/control/gr/graylist
> > graylist-min-secs=300
> > graylist-max-secs=1814400
> > no-graylist-dir=/var/qmail/control/gr/no_graylist
> > sender-blacklist-file=/var/qmail/control/gr/blacklist_senders
> > recipient-blacklist-file=/var/qmail/control/gr/blacklist_recipients
> > recipient-whitelist-file=/var/qmail/control/gr/whitelist_recipients
> > ip-in-rdns-keyword-file=/var/qmail/control/gr/blacklist_keywords
> > ip-blacklist-file=/var/qmail/control/gr/blacklist_ip
> > rdns-blacklist-dir=/var/qmail/control/gr/blacklist_rdns.d
> > reject-empty-rdns
> > reject-unresolvable-rdns
> > reject-ip-in-cc-rdns
> > rdns-whitelist-file=/var/qmail/control/gr/whitelist_rdns
> > ip-whitelist-file=/var/qmail/control/gr/whitelist_ip
> > greeting-delay-secs=5
> > check-dnsrbl=zombie.dnsbl.sorbs.net
> > check-dnsrbl=dul.dnsbl.sorbs.net
> > check-dnsrbl=bogons.cymru.com
> > reject-missing-sender-mx
> > tls-certificate-file=/var/qmail/control/servercert.pem
> >
> > Log for time of hang:
> >
> > maillog -
> >
> > Jan 25 18:05:38 localhost spamdyke[16496]: ALLOWED from:
> > [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip:
> > 87.237.64.15 origin_rdns: 15-64.ggs.hns.net auth: (unknown)
> > Jan 25 18:05:54 localhost spamdyke[16516]: ALLOWED from:
> > [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip :
> > 89.253.195.242 origin_rdns: hoster.1c.ru auth: (unknown)
> > Jan 25 18:05:56 localhost spamdyke[16488]: DENIED_BLACKLIST_NAME
> > from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] or igin_ip:
> > 125.26.38.60 origin_rdns: 125-26-38-60.adsl.totbb.net auth:
> > (unknown) Jan 25 18:06:09 localhost spamdyke[16470]: TIMEOUT from:
> > [EMAIL PROTECTED] to: (unknown) origin_ip: 86.4.1.52 origin _rdns:
> > cpc3-runc1-0-0-cust307.bagu.cable.ntl.com auth: (unknown) reason:
> > DENIED_BLACKLIST_NAME
> > Jan 25 18:06:14 localhost spamdyke[16472]:
> > TIMEOUT from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip:
> > 71. 191.159.74 origin_rdns:
> > pool-71-191-159-74.washdc.fios.verizon.net auth: (unknown) reason:
> > (unknown) Jan 25 18:06:25 localhost spamdyke [16538]:
> > DENIED_RDNS_MISSING from: [EMAIL PROTECTED] to:
> > [EMAIL PROTECTED] origin_ip: 216.191.135.102 origin_rdns: (unknown)
> > auth: (unknown) Jan 25 18:06:25 localhost spamdyke[16538]:
> > DENIED_RDNS_MISSING from: [EMAIL PROTECTED] to:
> > [EMAIL PROTECTED] origin_ip: 216.191.135.102 origin_rdns: (unknown)
> > auth: (unknown) Jan 25 18:06:43 localhost spamdyke [16554]:
> > DENIED_RDNS_MISSING from: [EMAIL PROTECTED] to:
> > [EMAIL PROTECTED] origin_ip: 216.191.135.102 origin_rdns: (unknown)
> > auth: (unknown) Jan 25 18:06:43 localhost spamdyke[16554]:
> > DENIED_RDNS_MISSING from: [EMAIL PROTECTED] to:
> > [EMAIL PROTECTED] rlab.ru origin_ip: 216.191.135.102 origin_rdns: (unknown)
> > auth: (unknown) Jan 25 18:06:44 localhost spamdyke[16559]: ERROR:
> > unable to write 47 bytes to file descriptor 1: Connection reset by
> > peer Jan 25 18:06:52 localhost spamdyke[16558]: DENIED_RDNS_RESOLVE
> > from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip: 79.134.0.9
> > origin_rdns: pan2loc-ttk.mgn.ru auth: (unknown)
> >
> > Suspicious string is "Jan 25 18:06:14 localhost spamdyke[16472]:"
> >
> > In a syslog I see the same strings + vpopmail imaps logins
> > There is no errors in this log level.
> >
> > OK, I change log-level to 5 and kill currently resident process -
> > immediately I have another! And there isn't any messages in logs...
> >
> > mail root]# ps aux | grep spamdyke
> > vpopmail 17530 0.0 0.0 1584 492 ? S 13:35 0:00
> > /usr/local/bin/tcpserver -v -R -l devnew.ntrlab.ru
> > -x /etc/tcp.rules/smtp.cdb -c 300 -n 40 -i 20 -u 89 -g 89 0
> > smtp /var/qmail/bin/spamdyke -f /var/qmail/control/spamdyke.conf
> > --smtp-auth-command /usr/local/vpopmail/bin/vchkpw /bin/true
> > /var/qmail/bin/qmail
> > root 17614 0.0 0.0 3688 668 pts/3 S 13:39 0:00 grep
> > spamdyke
> >
> > What can I say more?
> > There isn't any hang processes who eat process time, but who can
> > guarantee that all will be so fine in a future???
> >
> >
> > On Fri, 25 Jan 2008 17:56:48 -0600
> > Sam Clippinger <[EMAIL PROTECTED]> wrote:
> >
> >> I'm not sure I understand the problem or the strace output.
> >> You're seeing a single spamdyke process remain running and never
> >> exit? I need more information before I can help. Are you using
> >> the latest version of spamdyke? How much CPU is it using? Are
> >> you seeing any errors in your log files? Can you send a full log
> >> of a message that causes this behavior? Can you send your
> >> spamdyke configuration file?
> >>
> >> -- Sam Clippinger
> >>
> >> N.Novozhilov wrote:
> >>> >From yesterday I discover very strange behavior of spamdyke, all
> >>>> time
> >>> before all was good:
> >>>
> >>> First running copy stay resident and listen network. Short log:
> >>>
> >>> host# strace -p 12787 -e trace=network
> >>> Process 12787 attached - interrupt to quit
> >>> accept(3, 0xbfffc050, [16]) = ? ERESTARTSYS (To be
> >>> restarted)
> >>> --- SIGCHLD (Child exited) @ 0 (0) ---
> >>> accept(3, {sa_family=AF_INET, sin_port=htons(4430),
> >>> sin_addr=inet_addr ("88.229.222.135")}, [16]) = 0 accept(3,
> >>> {sa_family=AF_INET, sin_port=htons(3953), sin_addr=inet_addr
> >>> ("83.166.219.102")}, [16]) = 0
> >>>
> >>> accept(3, {sa_family=AF_INET, sin_port=htons(2396),
> >>> sin_addr=inet_addr ("189.0.199.23")}, [16]) = 0 accept(3,
> >>> {sa_family=AF_INET, sin_port=htons(13776), sin_addr=inet_addr
> >>> ("122.164.34.160")}, [16]) = 0
> >>>
> >>> accept(3, 0xbfffc050, [16]) = ? ERESTARTSYS (To be
> >>> restarted)
> >>> --- SIGCHLD (Child exited) @ 0 (0) ---
> >>>
> >>> accept(3, 0xbfffc050, [16]) = ? ERESTARTSYS (To be
> >>> restarted)
> >>> --- SIGCHLD (Child exited) @ 0 (0) ---
> >>>
> >>> accept(3, 0xbfffc050, [16]) = ? ERESTARTSYS (To be
> >>> restarted)
> >>> --- SIGCHLD (Child exited) @ 0 (0) ---
> >>>
> >>> accept(3, {sa_family=AF_INET, sin_port=htons(58206),
> >>> sin_addr=inet_addr ("123.248.102.135")}, [16]) = 0 accept(3,
> >>> 0xbfffc050, [16]) = ? ERESTARTSYS (To be restarted)
> >>> --- SIGCHLD (Child exited) @ 0 (0) ---
> >>>
> >>> accept(3, {sa_family=AF_INET, sin_port=htons(2693),
> >>> sin_addr=inet_addr ("85.104.38.223")}, [16]) = 0 accept(3,
> >>> 0xbfffc050, [16]) = ? ERESTARTSYS (To be restarted)
> >>> --- SIGCHLD (Child exited) @ 0 (0) ---
> >>>
> >>> accept(3, {sa_family=AF_INET, sin_port=htons(4269),
> >>> sin_addr=inet_addr ("83.166.219.102")}, [16]) = 0 accept(3,
> >>> {sa_family=AF_INET, sin_port=htons(2788), sin_addr=inet_addr
> >>> ("85.104.38.223")}, [16]) = 0 accept(3, 0xbfffc050,
> >>> [16]) = ? ERESTARTSYS (To be restarted)
> >>> --- SIGCHLD (Child exited) @ 0 (0) ---
> >>>
> >>> accept(3, 0xbfffc050, [16]) = ? ERESTARTSYS (To be
> >>> restarted)
> >>> --- SIGCHLD (Child exited) @ 0 (0) ---
> >>>
> >>> accept(3, {sa_family=AF_INET, sin_port=htons(2852),
> >>> sin_addr=inet_addr ("85.104.38.223")}, [16]) = 0 accept(3,
> >>> {sa_family=AF_INET, sin_port=htons(4547), sin_addr=inet_addr
> >>> ("83.166.219.102")}, [16]) = 0 accept(3, 0xbfffc050,
> >>> [16]) = ? ERESTARTSYS (To be restarted)
> >>> --- SIGCHLD (Child exited) @ 0 (0) ---
> >>>
> >>> accept(3, 0xbfffc050, [16]) = ? ERESTARTSYS (To be
> >>> restarted)
> >>> --- SIGCHLD (Child exited) @ 0 (0) ---
> >>> accept(3, {sa_family=AF_INET, sin_port=htons(2894),
> >>> sin_addr=inet_addr ("85.104.38.223")}, [16]) = 0 accept(3,
> >>> {sa_family=AF_INET, sin_port=htons(1268), sin_addr=inet_addr
> >>> ("200.88.97.100")}, [16]) = 0 accept(3, {sa_family=AF_INET,
> >>> sin_port=htons(1269), sin_addr=inet_addr ("200.88.97.100")}, [16])
> >>> = 0
> >>>
> >>> and so on...
> >>>
> >>> What is it - some bug in configuration of qmail (I didn't change
> >>> anything in a work spamdyke conf) or new hacker attack?
> >>>
> >>> P.S. I'm sorry about previous mail - I didn't wait for full stop
> >>> of all smtp processes.
> >>>
> >>>
> >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >>> Regards
> >>> Nicholas A. Novozhilov, NAN6-RIPE
> >>>
> >>> NTR Lab
> >>> System administrator
> >>> _______________________________________________
> >>> spamdyke-users mailing list
> >>> [email protected]
> >>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
> >> _______________________________________________
> >> spamdyke-users mailing list
> >> [email protected]
> >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
> >
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Regards
> > Nicholas A. Novozhilov, NAN6-RIPE
> >
> > NTR Lab
> > System administrator
> > _______________________________________________
> > spamdyke-users mailing list
> > [email protected]
> > http://www.spamdyke.org/mailman/listinfo/spamdyke-users
> _______________________________________________
> spamdyke-users mailing list
> [email protected]
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Regards
Nicholas A. Novozhilov, NAN6-RIPE
NTR Lab
System administrator
_______________________________________________
spamdyke-users mailing list
[email protected]
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
