On 4/4/2017 9:34 PM, John Hardin wrote:
"grep -v" of what? The logged info: lines (assuming they aren't being
discarded at the moment)?
That does work for identifying hosts, but it won't tell you what's on
the other end of the connection.
I was just looking for other hosts. I didn't realize
On Tue, 4 Apr 2017, Kevin A. McGrail wrote:
On 4/4/2017 9:14 PM, John Hardin wrote:
At the most basic you'd filter for the port spamd is listening on:
Hmm, thinking about my firewall question in context with this issue of how to
use tcpdump. I think we already have this info with this lin
On 4/4/2017 9:14 PM, John Hardin wrote:
At the most basic you'd filter for the port spamd is listening on:
Hmm, thinking about my firewall question in context with this issue of
how to use tcpdump. I think we already have this info with this line:
Apr 2 10:31:26 oss2 spamfilter: Sat Oct 1
It occurs to me that anything grinding through enough mail to generate
that much logging should also be eating a lot of CPU - so much so that
it might even be identified by seeing what is using unexpectedly large
amounts of CPU time.
Running 'top' and watching it for a while to see what patterns
On Wed, 5 Apr 2017, Jim McLachlan wrote:
Hi John,
That sounds like a good move. I don't have a lot of experience using
tcpdump. Could you help prevent me from fumbling around like a wit with
it and let me know what I need to do with it to identify the source of the
spamd traffic?
At
Usually the directories will exist somewhere in /var or /usr, my linux
is rusty, but try this command line in a new terminal window
inotifywait -rme modify,attrib,move,close_write,create,delete,delete_self /dname
change dname to appropriate directory. inotify is part of iotify-tools
on Cento
On 4/4/2017 8:51 PM, Jim McLachlan wrote:
Thanks. I tried them both with the same results, several e-mail
details, then the summary:
61 Kbytes in 8 Requests.
They all look like valid e-mails.
They are alternatives for the same command.
I would expect some entries. 8 sounds about r
Hi KAM,
Thanks. I tried them both with the same results, several e-mail details, then
the summary:
61 Kbytes in 8 Requests.
They all look like valid e-mails.
Kind regards.
Jim.
On 05/04/17 01:46, Kevin A. McGrail wrote:
On 4/4/2017 8:39 PM, Jim McLachlan wrote:
On 4/4/2017 8:45 PM, Jim McLachlan wrote:
I noticed a lot of dovecot processes, mainly dovecot/imap and
dovecot/imap-login. I restarted that, but it only cleared them
temporarily and they're back now.
You should have those if you are running an IMAP server. If you
shutdown dovecot, does t
Hi John,
That sounds like a good move. I don't have a lot of experience using tcpdump.
Could you help prevent me from fumbling around like a wit with it and let me
know what I need to do with it to identify the source of the spamd traffic?
Thanks.
Kind regards.
On 4/4/2017 8:39 PM, Jim McLachlan wrote:
Could you let me know where I should look for the temporary files you
mentioned?
One thing might be postfix queues but I'd expect postfix lines in the
maillogs...
mailq or postqueue -p
Regards,
KAM
Hi KAM,
I noticed a lot of dovecot processes, mainly dovecot/imap and
dovecot/imap-login. I restarted that, but it only cleared them temporarily and
they're back now.
I made a copy of spamfilter.sh to my_spamfilter.sh, then did the chmod -x on
the original. I updated master.cf to refer t
Hi ap-ml,
This sounds interesting. Could you let me know where I should look for the
temporary files you mentioned?
I'm on the edges of my knowledge of e-mail and networking here :-)
Kind regards.
Jim.
On 05/04/17 01:11, ap-ml wrote:
Its almost as though there is
On 4/4/2017 6:42 PM, Jim McLachlan wrote:
https://www.digitalocean.com/community/tutorials/how-to-configure-a-mail-server-using-postfix-dovecot-mysql-and-spamassassin
More recently, I found this one:
https://www.exratione.com/2016/05/a-mailserver-on-ubuntu-16-04-postfix-dovecot-mysql/
On Tue, 4 Apr 2017, Kevin A. McGrail wrote:
On 4/4/2017 8:04 PM, John Hardin wrote:
If all else fails, you may want to visit syslog.conf and tell it to ignore
mail.info level messages.
Hmm, normally I agree with you, John but I'd strongly recommend against that.
He's got something hitting
Its almost as though there is a build-up of messages that are being
continually scanned through, I had a similar issue once where due to
incorrect permissions, temp files were not being deleted. Perhaps check
temp & working directories for such a logjam of emails. Have you also
checked for the
Hi John,
I did that a couple of days ago after I ran out of disk space. It's helped
quite a lot, but only in that it's removed a symptom.
-rw-r- 1 syslog adm 457498 Apr 5 00:09 /var/log/syslog
-rw-r- 1 syslog adm 652564 Apr 4 06:33 /var/log/syslog.1
-rw-r- 1 syslog adm
Hi,
I've posted the spamfilter.sh file to http://pasted.co/7b794ccd
I don't see anything in there about verbose logging, but there are
two lines in there with a resemblance to your suggestion:
logger -f $SALOG -p mail.notice -t spamfilter <<<"Spam filter piping to
SpamAssassin: $SPAMA
On 4/4/2017 8:04 PM, John Hardin wrote:
If all else fails, you may want to visit syslog.conf and tell it to
ignore mail.info level messages.
Hmm, normally I agree with you, John but I'd strongly recommend against
that. He's got something hitting spamd approximately 500x more than is
needed
On Wed, 5 Apr 2017, Jim McLachlan wrote:
The text "info: spamd: processing message" appears in that 162,761
times.
If all else fails, you may want to visit syslog.conf and tell it to ignore
mail.info level messages.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
On 4/4/2017 7:58 PM, Jim McLachlan wrote:
I'm not sure which message I'm looking for, but for that same file
of 1,000,000 lines, I used this line to cut out all occurrences of
"postfix" and count them:
So ~300 vs 160K or something bizarre...
Is there anything using that spamfilter.sh t
Hi KAM,
I'm not sure which message I'm looking for, but for that same file of 1,000,000
lines, I used this line to cut out all occurrences of "postfix" and count them:
$ grep postfix /tmp/mail_sample.log | cut -d " " -f 6- | cut -d "[" -f 1 | sort
| uniq -c
7 postfix/cleanup
3 p
On 4/4/2017 7:35 PM, Jim McLachlan wrote:
The text "info: spamd: processing message" appears in that 162,761
times.
Neat... And how many times do you have a line indicating a new message
from postfix in the same period?
Firewall off port 783 on the box. It's a longshot but perhaps somet
Hi KAM,
Well, I have an application that sends out around 400 to 500 e-mails per day,
but other than that, there are about a dozen or so personal e-mail accounts.
That should be < 20,000 per month.
I just hived off the last 1,000,000 lines of the current mail.log file for a
quick c
On Tue, 4 Apr 2017, j...@lexoncom.com wrote:
{nothing}
This is a self-service list. To unsubscribe, send an email to
"users-unsubscr...@spamassassin.apache.org" from the address you wish to
unsubscribe.
This is noted in the headers of *every* list message.
--
John Hardin KA7OHZ
On 4/4/2017 7:06 PM, Jim McLachlan wrote:
It looks like my mail.* logs are rotated weekly. I'll change that
so they're rotated daily. That will certainly help, but I'm sure it
would be good for the disk and CPU if I can reduce the amount of data
being logged.
Well, how many emails are y
> On Apr 4, 2017, at 6:06 PM, Jim McLachlan wrote:
>
> Sorry, I did a direct reply instead of a reply to the list. I hope this
> corrects that.
>
> Hi KAM,
>
>You're confused Not as much as me. I'm completely baffled
>
>I've posted my master.cf to http://pasted.co/ba783cac just
Sorry, I did a direct reply instead of a reply to the list. I hope this
corrects that.
Hi KAM,
You're confused Not as much as me. I'm completely baffled
I've posted my master.cf to http://pasted.co/ba783cac just in case that
might be useful.
It looks like my mail.* logs are
On 4/4/2017 6:53 PM, Jim McLachlan wrote:
Do you know why the spamfilter entries in the log file have dates
going back to October? Is the normal spamassassin behaviour that
isn't usually logged, or is it doing something unusual?
It seems to check all of them and log each check every t
On 4/4/2017 6:42 PM, Jim McLachlan wrote:
amavis1680 1 0 2016 ?00:01:40 /usr/sbin/amavisd-new
(master)
amavis 10898 1680 0 17:29 ?00:00:01 /usr/sbin/amavisd-new
(ch7-avail)
amavis 15292 1680 0 22:16 ?00:00:00 /usr/sbin/amavisd-new
(ch1-avail)
postfix 1
Hi KAM,
No, there's nothing in the master.cf them indicates anything to do with logging
verbosely. No occurrences of "-v" and no mention of "log" or logging, etc.
Do you know why the spamfilter entries in the log file have dates going back to
October? Is the normal spamassassin behaviour
Hi Dave,
I used the following instructions to set up the system, but they weren't
followed verbatim because I already had some things in place.
https://www.digitalocean.com/community/tutorials/how-to-configure-a-mail-server-using-postfix-dovecot-mysql-and-spamassassin
More recently,
On 4/4/2017 6:08 PM, Jim McLachlan wrote:
I thought spamfilter was spamassassin.
No, it's not. It's what we would call the glue. It's a content filter
script that is reaching out to a spamassassin daemon called spamd using
a lightweight c program called spamc.
SpamD allows for spamassas
Hi,
I thought spamfilter was spamassassin.
Looking through my config files, the postfix master.cf file contains
the line:
flags=Rq user=spamd argv=/usr/bin/spamfilter.sh -oi -f ${sender}
${recipient}
/usr/bin/spamfilter.sh is described in the comments as:
Where did you get the i
Hi Dave,
Thanks for the quick response.
The OS is Ubuntu 16.04.
I thought spamfilter was spamassassin.
Looking through my config files, the postfix master.cf file contains
the line:
flags=Rq user=spamd argv=/usr/bin/spamfilter.sh -oi -f ${sender} ${recipient}
Hi,
My set up consists of Postfix, Postgrey, Spamassassin, Clam-AV,
Amavis-new and Dovecot.
What is "spamfilter"?
Apr 2 10:31:26 oss2 spamfilter: Sun Oct 16 07:24:13 2016 [16208] info:
spamd: connection from ip6-localhost [::1]:53930 to port 783, fd 5
What operating system?
Regards,
Hi,
I have a problem with the huge amount of messages being logged by spamassassin.
I have around 10 active e-mail users on the system, none of whom have any
unusual e-mail usage. This is what I've seen in the last 2 hours:
$ date
Mon 3 Apr 08:00:50 UTC 2017
$ ls -l /var/log/mail.log
-r
37 matches
Mail list logo
