On Wed May 19 2004 12:46 pm, root linux wrote:
hmm.. if it is any consolation, and i dont know if anyone else experienced
this, but our incoming attempted mail volume increased at least 100% or more
this past week. it is starting to level back off a bit now though. to be
honest. i personally think that is not enough ram to properly run a fully set
up qmail system that is used by the public. from my personal experience with
it, i would not attempt to run a public server in less than 640mb ram.
private server could probably get away with it at 256. hmm maybe a definition
of what i mean is wise.. to me a public server means run at an isp or
similar handling a few thousand 'home' domains. private would mean 1 or 2
domains in an office or home environment.
the machine has enough processor power. more than enough. if you watch the
processor usage you will see it hardly rises due to its speed in handling
what little it has to.
what may be interesting too is to watch your smtp log and see how many smtp
threads are running average and what your total allowed is. if they are
always building up to the max, your rbl may be taking too long. we sometimes
see that.. we run rblsmtpd with spamcop, spamhaus and ordb. sometimes when
they start gumming up the works, one of them may be timing out etc, we just
eliminate that one for a day or so.
> This is an Intel P3 1GHz with 256MB of RAM
>
> But it performed ok since this week...bad things
> happened, :(
>
> Regards,
> rootlinux
>
> --- Chuck <[EMAIL PROTECTED]> wrote:
> > On Wed May 19 2004 11:54 am, root linux wrote:
> > hmm. odd. i am going to top-answer this one due to
> > its length. tail the queue
> > log and see if you can manually notice the delay.
> > according to the av scanner
> > it only took .5 secs to complete its scan yet the
> > entire thing took 11
> > seconds? very odd. the most i have ever seen our
> > system take was about 2
> > seconds when it had to unzip an 18mb file attachment
> > and scan the contents.
> > the internal known virus comparisons and unwanted
> > extension comparisons are
> > so fast they cannot be a contributing factor.
> >
> > by any chance is this a slower machine? that can
> > have some effect on it (ours
> > is only 700-mhz but it is more than sufficient).
> > also how much ram do you
> > have installed? if you can please paste a complete
> > free report about this.
> > running out of ram can also cause this behavior
> > (ours is 1gb.. we topped ram
> > quite a bit when we had 512mb). does anything else
> > live on this machine or is
> > it dedicated to qmail?
> >
> >
> > Chuck
> >
> > > Here is the mail message header: -
> > >
> > > Return-Path: <[EMAIL PROTECTED]>
> > > Delivered-To: [EMAIL PROTECTED]
> > > Received: (qmail 15388 invoked by uid 504); 19 May
> > > 2004 15:34:13 -0000
> > > Received: from [EMAIL PROTECTED] by
> >
> > mail.example.com
> >
> > > by uid 501 with qmail-scanner-1.16 (ehost Clear:.
> > > Processed in 11.096361 secs); 19 May 2004 15:34:13
> > > -0000
> > > Received: from unknown (HELO mail.yahoo.com)
> >
> > (1.1.1.1)
> >
> > > by 0 with SMTP; 19 May 2004 15:34:02 -0000
> > > Received: from mail.yahoo.com (intermail
> >
> > [127.0.0.1])
> >
> > > by mail.yahoo.com (8.12.8/8.12.8) with ESMTP id
> > > i4JFUssu019078 for <[EMAIL PROTECTED]>; Wed,
> >
> > 19
> >
> > > May 2004 23:30:54 +0800
> > > From: "rootlinux" <[EMAIL PROTECTED]>
> > > To: [EMAIL PROTECTED] Subject: test - 11:41pm
> > > Date: Wed, 19 May 2004 23:30:54 +0800
> > > Message-Id: <[EMAIL PROTECTED]>
> > > Mime-Version: 1.0 Content-Type:
> > >
> > >
> > > Here is the qmail-queue.log: -
> > >
> > > 19/05/2004 23:34:02:15383: +++ starting debugging
> >
> > for
> >
> > > process 15383 by uid=501 at 19/05/2004 23:34:02
> > > 19/05/2004 23:34:02:15383: setting UID to EUID so
> > > subprocesses can access files generated by this
> >
> > script
> >
> > > 19/05/2004 23:34:02:15383: program name is
> > > qmail-scanner-queue.pl, version 1.16
> > > 19/05/2004 23:34:02:15383: incoming SMTP
> >
> > connection
> >
> > > from via smtp from 1.1.1.1
> > > 19/05/2004 23:34:02:15383: w_c: mkdir
>
> /var/spool/qmailscan/mail.example.com108498084243115383
>
> > > 19/05/2004 23:34:02:15383: w_c: start dumping
> >
> > incoming
> >
> > > msg into
>
> /var/spool/qmailscan/working/tmp/mail.example.com108498084243115383
>
> > > [1084980842.13506]
> > > 19/05/2004 23:34:02:15383: w_c: rename new msg
> >
> > from
>
> /var/spool/qmailscan/working/tmp/mail.example.com108498084243115383
>
> > > to
>
> /var/spool/qmailscan/working/new/mail.example.com108498084243115383
>
> > > [1084980852.63514]
> > > 19/05/2004 23:34:02:15383: d_m: starting
> > > /usr/local/bin/reformime
>
> -x/var/spool/qmailscan/mail.example.com108498084243115383/
>
>
> </var/spool/qmailscan/working/new/mail.example.com108498084243115383
>
> > > [1084980852.63558]
> > > 19/05/2004 23:34:02:15383: d_m: finished
> > > /usr/local/bin/reformime
>
> -x/var/spool/qmailscan/mail.example.com108498084243115383/
>
> > > [1084980852.69235]
> > > 19/05/2004 23:34:02:15383: d_m: Manually unpack
> >
> > any
> >
> > > zip files as some virus scanners don't do zip
> >
> > under
> >
> > > Unix!
> > > 19/05/2004 23:34:02:15383: d_m: unpacking message
> >
> > took
> >
> > > 0.057176 seconds
> > > 19/05/2004 23:34:02:15383: unsetting QMAILQUEUE
> >
> > env
> >
> > > var
> > > 19/05/2004 23:34:02:15383: g_e_h: return-path is
> > > "[EMAIL PROTECTED]", recips is
> > > "[EMAIL PROTECTED]"
> > > 19/05/2004 23:34:02:15383: from="rootlinux"
> > > <[EMAIL PROTECTED]>,subj=test - 11:41pm,
>
> x-qmail-scanner-message-id=<[EMAIL PROTECTED]>
>
> > > via smtp from 1.1.1.1
> > > 19/05/2004 23:34:02:15383: ini_sc: start scanning
> > > 19/05/2004 23:34:02:15383: p_s: starting scan of
> > > directory
>
> "/var/spool/qmailscan/mail.example.com108498084243115383"...
>
> > > 19/05/2004 23:34:02:15383: p_s: '81:ILOVEYOU' =
> > > 'Virus-subject' = 'Love Letter Virus/Trojan'
> > > 19/05/2004 23:34:02:15383: p_s: type is a header!
> > > 19/05/2004 23:34:02:15383: p_s: checking for
> >
> > objects
> >
> > > containing subject: ILOVEYOU
> > > 19/05/2004 23:34:02:15383: p_s:
> >
> > '82:message/partial'
> >
> > > = 'Virus-content-type' = 'Message/partial MIME
> > > attachments blocked by policy'
> > > 19/05/2004 23:34:02:15383: p_s: type is a header!
> > > 19/05/2004 23:34:02:15383: p_s: checking for
> >
> > objects
> >
> > > containing content-type: message/partial
> > > 19/05/2004 23:34:02:15383: p_s: '85:.{100,}' =
> > > 'Virus-date' = 'MIME Header Buffer Overflow'
> > > 19/05/2004 23:34:02:15383: p_s: type is a header!
> > > 19/05/2004 23:34:02:15383: p_s: checking for
> >
> > objects
> >
> > > containing date: .{100,}
> > > 19/05/2004 23:34:02:15383: p_s: '86:.{100,}' =
> > > 'Virus-mime-version' = 'MIME Header Buffer
> >
> > Overflow '
> >
> > > 19/05/2004 23:34:02:15383: p_s: type is a header!
> > > 19/05/2004 23:34:02:15383: p_s: checking for
> >
> > objects
> >
> > > containing mime-version: .{100,}
> > > 19/05/2004 23:34:02:15383: p_s: '87:.{100,}' =
> > > 'Virus-resent-date' = 'MIME Header Buffer
> >
> > Overflow'
> >
> > > 19/05/2004 23:34:02:15383: p_s: type is a header!
> > > 19/05/2004 23:34:02:15383: p_s: checking for
> >
> > objects
> >
> > > containing resent-date: .{100,}
> > > 19/05/2004 23:34:02:15383: p_s:
>
> '90:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
>
> >.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
> >iv
> >
> >re.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|JG
> >QZ
> >
> >[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|cxkaw
> >og
> >
> > >@krovatka.net|[EMAIL PROTECTED]' = 'Virus-to' =
> >
> > 'BadTrans Trojan exploit!'
> >
> > > 19/05/2004 23:34:02:15383: p_s: type is a header!
> > > 19/05/2004 23:34:02:15383: p_s: checking for
> >
> > objects
> >
> > > containing to:
>
> [EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
>
> >|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
> >|.c
> >
> >om|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|JGQZCD
> >@e
> >
> >xcite.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
> >ro
> >
> > >vatka.net|[EMAIL PROTECTED] 19/05/2004
> >
> > 23:34:02:15383: p_s: 'eicar.com' =
> >
> > > '69' =
> > > 'EICAR Test Virus'
> > > 19/05/2004 23:34:02:15383: p_s: type is a size!
> > > 19/05/2004 23:34:02:15383: p_s: 'happy99.exe' =
> > > '10000' = 'Happy99 Trojan'
> > > 19/05/2004 23:34:02:15383: p_s: type is a size!
> > > 19/05/2004 23:34:02:15383: p_s:
> >
> > 'zipped_files.exe' =
> >
> > > '120495' = 'W32/ExploreZip.worm.pak virus'
> > > 19/05/2004 23:34:02:15383: p_s: type is a size!
> > > 19/05/2004 23:34:02:15383: p_s: skipping
> > > auto-generated file
> > > 1084980852.15385-0.mail.example.com
> > > 19/05/2004 23:34:02:15383: p_s: checking
> >
> > WMSysPr9.prx
> >
> > > against perlscanner database...
> > > 19/05/2004 23:34:02:15383: p_s: file WMSysPr9.prx
> >
> > is
> >
> > > lowercased to wmsyspr9.prx and has extension .prx
> > > 19/05/2004 23:34:02:15383: p_s: compare
> >
> > wmsyspr9.prx
> >
> > > against perlscanner database
> > > 19/05/2004 23:34:02:15383: p_s: finished scan of
> >
> > dir
>
> "/var/spool/qmailscan/mail.example.com108498084243115383"
>
> === message truncated ===
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! - Internet access at a great low price.
> http://promo.yahoo.com/sbc/
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: SourceForge.net Broadband
> Sign-up now for SourceForge Broadband and get the fastest
> 6.0/768 connection for only $19.95/mo for the first 3 months!
> http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
> _______________________________________________
> Qmail-scanner-general mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
--
Chuck
"...and the hordes of M$*ft users descended upon me in their anger,
and asked 'Why do you not get the viruses or the BlueScreensOfDeath
or insecure system troubles and slowness or pay through the nose
for an OS as *we* do?!!', and I answered...'I use Linux'. "
The Book of John, chapter 1, page 1, and end of book
-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
