Hi everyone, I'm running spamassassin 3.1.0 as spamd with the following command line options: -m 5 --max-conn-per-child=5 -u mail --ident-timeout=30 -s /var/log/spamd.log -D --round-robin When I receive a certain email (or a few from the same top level domain) it hangs spamassassin as it tries to allocate a boatload of memory (excerpt from top, this is a 512MB machine): PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 6076 mail 18 0 876m 452m 660 R 7.3 91.4 0:22.34 spamd Consistently the last few lines in the debug log before I have to kill it are: Tue Dec 13 12:02:29 2005 [6076] dbg: uri: html uri found, http://80.179.153.114/cgi-bin/SPA/[EMAIL PROTECTED] Tue Dec 13 12:02:29 2005 [6076] dbg: uri: cleaned html uri, http://80.179.153.114/cgi-bin/SPA/[EMAIL PROTECTED] Tue Dec 13 12:02:29 2005 [6076] dbg: uri: html domain, 80.179.153.114 For now, I've hopefully managed to keep my server running by putting the following in my exim.conf: deny message = Emails from .il are expressly rejected due to _ mailbombing senders = *.il deny message = Emails from .il are expressly rejected due to _ mailbombing hosts = *.il The full excerpt of the log file is attached. I'll happily upload the file it refers to somewhere if it helps, the content seems to be an HTML header followed by GIF data. If I extract the GIF data portion it seems to be a valid (displayable) GIF, but I can't guarantee it's not a hacking attempt. Let me know what further information I can provide or if there's a better way of trapping this. Cheers, Andy -- Andrew Jeffries NextGen Development Ltd "Pushing the boundaries of internet interactivity" Tel : 0870 170 5902 Fax : 0709 223 8820 Web : http://www.nextgendevelopment.co.uk Email : [EMAIL PROTECTED]
Tue Dec 13 12:00:30 2005 [6073] info: prefork: child states: II Tue Dec 13 12:00:30 2005 [6133] dbg: prefork: sysread(8) not ready, wait max 300 secs Tue Dec 13 12:02:28 2005 [6133] dbg: prefork: periodic ping from spamd parent Tue Dec 13 12:02:28 2005 [6133] dbg: prefork: sysread(8) not ready, wait max 300 secs Tue Dec 13 12:02:28 2005 [6076] dbg: prefork: periodic ping from spamd parent Tue Dec 13 12:02:28 2005 [6076] dbg: prefork: sysread(8) not ready, wait max 300 secs Tue Dec 13 12:02:28 2005 [6073] dbg: prefork: ordered 6076 to accept Tue Dec 13 12:02:28 2005 [6073] dbg: prefork: sysread(7) not ready, wait max 300 secs Tue Dec 13 12:02:28 2005 [6076] info: spamd: connection from localhost [127.0.0.1] at port 44765 Tue Dec 13 12:02:28 2005 [6073] dbg: prefork: child 6076: entering state 2 Tue Dec 13 12:02:28 2005 [6073] dbg: prefork: new lowest idle kid: 6133 Tue Dec 13 12:02:28 2005 [6076] dbg: config: read_scoreonly_config: cannot open "//.spamassassin/user_prefs": No such file or directory Tue Dec 13 12:02:28 2005 [6076] dbg: info: user has changed Tue Dec 13 12:02:28 2005 [6076] error: mkdir /.spamassassin: Permission denied at /usr/lib/perl5/vendor_perl/5.8.6/Mail/SpamAssassin.pm line 1467 Tue Dec 13 12:02:28 2005 [6076] dbg: config: mkdir /.spamassassin failed: mkdir /.spamassassin: Permission denied at /usr/lib/perl5/vendor_perl/5.8.6/Mail/SpamAssassin.pm line 1467 Tue Dec 13 12:02:28 2005 [6076] dbg: config: Tue Dec 13 12:02:28 2005 [6076] dbg: bayes: no dbs present, cannot tie DB R/O: /.spamassassin/bayes_toks Tue Dec 13 12:02:28 2005 [6076] dbg: config: score set 1 chosen. Tue Dec 13 12:02:28 2005 [6076] info: spamd: checking message <[EMAIL PROTECTED]> for nobody:8 Tue Dec 13 12:02:28 2005 [6076] dbg: dns: name server: 80.68.80.24, family: 2, ipv6: 0 Tue Dec 13 12:02:28 2005 [6076] dbg: bayes: no dbs present, cannot tie DB R/O: /.spamassassin/bayes_toks Tue Dec 13 12:02:28 2005 [6076] dbg: received-header: parsed as [ ip=80.179.153.114 rdns=80.179.153.114.static.012.net.il helo=imesh.co.il by=server1.nextgendevelopment.co.uk ident= envfrom= intl=0 id=1Em8rQ-0001b0-OV auth= ] Tue Dec 13 12:02:28 2005 [6076] dbg: dns: looking up A records for 'server1.nextgendevelopment.co.uk' Tue Dec 13 12:02:28 2005 [6076] dbg: dns: A records for 'server1.nextgendevelopment.co.uk': 80.68.80.217 Tue Dec 13 12:02:28 2005 [6076] dbg: dns: looking up A records for 'server1.nextgendevelopment.co.uk' Tue Dec 13 12:02:28 2005 [6076] dbg: dns: A records for 'server1.nextgendevelopment.co.uk': 80.68.80.217 Tue Dec 13 12:02:28 2005 [6076] dbg: received-header: 'by' server1.nextgendevelopment.co.uk has public IP 80.68.80.217 Tue Dec 13 12:02:28 2005 [6076] dbg: received-header: relay 80.179.153.114 trusted? no internal? no Tue Dec 13 12:02:28 2005 [6076] dbg: received-header: parsed as [ ip=127.0.0.1 rdns=counter helo=imesh.co.il by=imesh.co.il ident= envfrom= intl=0 id=jBD3TUeP024718 auth= ] Tue Dec 13 12:02:28 2005 [6076] dbg: received-header: relay 127.0.0.1 trusted? no internal? no Tue Dec 13 12:02:28 2005 [6076] dbg: metadata: X-Spam-Relays-Trusted: Tue Dec 13 12:02:28 2005 [6076] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=80.179.153.114 rdns=80.179.153.114.static.012.net.il helo=imesh.co.il by=server1.nextgendevelopment.co.uk ident= envfrom= intl=0 id=1Em8rQ-0001b0-OV auth= ] [ ip=127.0.0.1 rdns=counter helo=imesh.co.il by=imesh.co.il ident= envfrom= intl=0 id=jBD3TUeP024718 auth= ] Tue Dec 13 12:02:28 2005 [6076] dbg: message: ---- MIME PARSER START ---- Tue Dec 13 12:02:28 2005 [6076] dbg: message: main message type: text/html Tue Dec 13 12:02:28 2005 [6076] dbg: message: parsing normal part Tue Dec 13 12:02:28 2005 [6076] dbg: message: added part, type: text/html Tue Dec 13 12:02:28 2005 [6076] dbg: message: ---- MIME PARSER END ---- Tue Dec 13 12:02:28 2005 [6076] dbg: message: decoding quoted-printable Tue Dec 13 12:02:29 2005 [6076] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl-notfirsthop Tue Dec 13 12:02:29 2005 [6076] dbg: dns: IPs found: full-external: 80.179.153.114, 127.0.0.1 untrusted: 80.179.153.114 originating: Tue Dec 13 12:02:29 2005 [6076] dbg: dns: only inspecting the following IPs: 80.179.153.114 Tue Dec 13 12:02:29 2005 [6076] dbg: dns: launching DNS A query for 114.153.179.80.sbl-xbl.spamhaus.org. in background Tue Dec 13 12:02:29 2005 [6076] dbg: dns: checking RBL sa-accredit.habeas.com., set habeas-firsttrusted Tue Dec 13 12:02:29 2005 [6076] dbg: dns: IPs found: full-external: 80.179.153.114, 127.0.0.1 untrusted: 80.179.153.114 originating: Tue Dec 13 12:02:29 2005 [6076] dbg: dns: only inspecting the following IPs: 80.179.153.114 Tue Dec 13 12:02:29 2005 [6076] dbg: dns: launching DNS A query for 114.153.179.80.sa-accredit.habeas.com. in background Tue Dec 13 12:02:29 2005 [6076] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl Tue Dec 13 12:02:29 2005 [6076] dbg: dns: IPs found: full-external: 80.179.153.114, 127.0.0.1 untrusted: 80.179.153.114 originating: Tue Dec 13 12:02:29 2005 [6076] dbg: dns: only inspecting the following IPs: 80.179.153.114 Tue Dec 13 12:02:29 2005 [6076] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted Tue Dec 13 12:02:29 2005 [6076] dbg: dns: IPs found: full-external: 80.179.153.114, 127.0.0.1 untrusted: 80.179.153.114 originating: Tue Dec 13 12:02:29 2005 [6076] dbg: dns: only inspecting the following IPs: Tue Dec 13 12:02:29 2005 [6076] dbg: dns: checking RBL combined.njabl.org., set njabl-notfirsthop Tue Dec 13 12:02:29 2005 [6076] dbg: dns: IPs found: full-external: 80.179.153.114, 127.0.0.1 untrusted: 80.179.153.114 originating: Tue Dec 13 12:02:29 2005 [6076] dbg: dns: only inspecting the following IPs: 80.179.153.114 Tue Dec 13 12:02:29 2005 [6076] dbg: dns: launching DNS A query for 114.153.179.80.combined.njabl.org. in background Tue Dec 13 12:02:29 2005 [6076] dbg: dns: checking RBL combined.njabl.org., set njabl Tue Dec 13 12:02:29 2005 [6076] dbg: dns: IPs found: full-external: 80.179.153.114, 127.0.0.1 untrusted: 80.179.153.114 originating: Tue Dec 13 12:02:29 2005 [6076] dbg: dns: only inspecting the following IPs: 80.179.153.114 Tue Dec 13 12:02:29 2005 [6076] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois Tue Dec 13 12:02:29 2005 [6076] dbg: dns: IPs found: full-external: 80.179.153.114, 127.0.0.1 untrusted: 80.179.153.114 originating: Tue Dec 13 12:02:29 2005 [6076] dbg: dns: only inspecting the following IPs: 80.179.153.114 Tue Dec 13 12:02:29 2005 [6076] dbg: dns: launching DNS A query for 114.153.179.80.combined-HIB.dnsiplists.completewhois.com. in background Tue Dec 13 12:02:29 2005 [6076] dbg: dns: checking RBL list.dsbl.org., set dsbl-notfirsthop Tue Dec 13 12:02:29 2005 [6076] dbg: dns: IPs found: full-external: 80.179.153.114, 127.0.0.1 untrusted: 80.179.153.114 originating: Tue Dec 13 12:02:29 2005 [6076] dbg: dns: only inspecting the following IPs: 80.179.153.114 Tue Dec 13 12:02:29 2005 [6076] dbg: dns: launching DNS TXT query for 114.153.179.80.list.dsbl.org. in background Tue Dec 13 12:02:29 2005 [6076] dbg: dns: checking RBL bl.spamcop.net., set spamcop Tue Dec 13 12:02:29 2005 [6076] dbg: dns: IPs found: full-external: 80.179.153.114, 127.0.0.1 untrusted: 80.179.153.114 originating: Tue Dec 13 12:02:29 2005 [6076] dbg: dns: only inspecting the following IPs: 80.179.153.114 Tue Dec 13 12:02:29 2005 [6076] dbg: dns: launching DNS TXT query for 114.153.179.80.bl.spamcop.net. in background Tue Dec 13 12:02:29 2005 [6076] dbg: dns: _check_rbl_addresses RBL blackhole.securitysage.com., set securitysage Tue Dec 13 12:02:29 2005 [6076] dbg: dns: launching DNS A query for imesh.co.il.blackhole.securitysage.com. in background Tue Dec 13 12:02:29 2005 [6076] dbg: dns: checking RBL sa-trusted.bondedsender.org., set bsp-firsttrusted Tue Dec 13 12:02:29 2005 [6076] dbg: dns: IPs found: full-external: 80.179.153.114, 127.0.0.1 untrusted: 80.179.153.114 originating: Tue Dec 13 12:02:29 2005 [6076] dbg: dns: only inspecting the following IPs: 80.179.153.114 Tue Dec 13 12:02:29 2005 [6076] dbg: dns: launching DNS TXT query for 114.153.179.80.sa-trusted.bondedsender.org. in background Tue Dec 13 12:02:29 2005 [6076] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois-notfirsthop Tue Dec 13 12:02:29 2005 [6076] dbg: dns: IPs found: full-external: 80.179.153.114, 127.0.0.1 untrusted: 80.179.153.114 originating: Tue Dec 13 12:02:29 2005 [6076] dbg: dns: only inspecting the following IPs: 80.179.153.114 Tue Dec 13 12:02:29 2005 [6076] dbg: dns: _check_rbl_addresses RBL rhsbl.ahbl.org., set ahbl Tue Dec 13 12:02:29 2005 [6076] dbg: dns: launching DNS A query for imesh.co.il.rhsbl.ahbl.org. in background Tue Dec 13 12:02:29 2005 [6076] dbg: dns: checking A and MX for host imesh.co.il Tue Dec 13 12:02:29 2005 [6076] dbg: dns: launching DNS A query for imesh.co.il in background Tue Dec 13 12:02:29 2005 [6076] dbg: dns: launching DNS MX query for imesh.co.il in background Tue Dec 13 12:02:29 2005 [6076] dbg: dns: _check_rbl_addresses RBL fulldom.rfc-ignorant.org., set rfci_envfrom Tue Dec 13 12:02:29 2005 [6076] dbg: dns: launching DNS A query for imesh.co.il.fulldom.rfc-ignorant.org. in background Tue Dec 13 12:02:29 2005 [6076] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-notfirsthop Tue Dec 13 12:02:29 2005 [6076] dbg: dns: IPs found: full-external: 80.179.153.114, 127.0.0.1 untrusted: 80.179.153.114 originating: Tue Dec 13 12:02:29 2005 [6076] dbg: dns: only inspecting the following IPs: 80.179.153.114 Tue Dec 13 12:02:29 2005 [6076] dbg: dns: launching DNS A query for 114.153.179.80.dnsbl.sorbs.net. in background Tue Dec 13 12:02:29 2005 [6076] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs Tue Dec 13 12:02:29 2005 [6076] dbg: dns: IPs found: full-external: 80.179.153.114, 127.0.0.1 untrusted: 80.179.153.114 originating: Tue Dec 13 12:02:29 2005 [6076] dbg: dns: only inspecting the following IPs: 80.179.153.114 Tue Dec 13 12:02:29 2005 [6076] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted Tue Dec 13 12:02:29 2005 [6076] dbg: dns: IPs found: full-external: 80.179.153.114, 127.0.0.1 untrusted: 80.179.153.114 originating: Tue Dec 13 12:02:29 2005 [6076] dbg: dns: only inspecting the following IPs: 80.179.153.114 Tue Dec 13 12:02:29 2005 [6076] dbg: dns: launching DNS A query for 114.153.179.80.iadb.isipp.com. in background Tue Dec 13 12:02:29 2005 [6076] dbg: uri: html uri found, http://80.179.153.114/cgi-bin/SPA/[EMAIL PROTECTED] Tue Dec 13 12:02:29 2005 [6076] dbg: uri: cleaned html uri, http://80.179.153.114/cgi-bin/SPA/[EMAIL PROTECTED] Tue Dec 13 12:02:29 2005 [6076] dbg: uri: html domain, 80.179.153.114 <killall -9 spamd at this point after noticing top output as below> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 6076 mail 18 0 876m 452m 660 R 7.3 91.4 0:22.34 spamd
