check to ensure your SA-Exim checks are conditional on a message size check; at least in 2005, it didn't use the recommended size limits by default for some reason, which meant it allowed spamd to balloon out of control. Maybe that is still the case. see this thread:
http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050221/msg00218.html --j. Dermot Paikkos writes: > On 16 May 2006 at 10:07, Matt Kettler wrote: > > Dermot Paikkos wrote: > > > Hi > > > > > > Spamassassin 3.02 running from SA-Exim (exim 4.5). > > > > > > OPTIONS="--nouser-config --max-children 6 --helper-home- > > > dir=/var/spool/spamassassin/ -s /var/log/spamd.log > > > --username=nobody" > > > > > > I recently went live with the above system and am noticing some very > > > heavy memory usage. Each spamd is using near or over 200MB. > > That's highly unusual.. Did you download any add-on rulesets? In > > particular, did you add sa-blacklist? If so, remove it. > > > I agree - I am no expert - but this seems high. > > ========= top output ======== > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 16099 nobody 18 0 202m 171m 59m R 85.8 13.6 7:30.15 spamd > 16098 nobody 12 0 245m 198m 39m S 11.2 15.8 8:00.58 spamd > 32020 root 18 0 1664 1664 1296 R 2.2 0.1 0:02.05 top > 50 root 12 0 0 0 0 S 0.0 0.0 0:48.54 kjournald > 15818 root 12 0 2696 2216 2176 S 0.0 0.2 0:03.55 sshd > ========================== > > On the matter of more computers; between 06:30 and 15:47 today we > have received 2040 mail and delivered 2407. Today has been > exceptional as there is a backlog of mail from the server upgrade. I > am not sure what sort of bracket that puts us in but I wouldn't say > we're a big site in terms of number emails. What's more we don't have > the budget or resources to build a server farm for mail and I don't > think it's really necessary. I think the problem is either in my > configuration or with my version of SA. > > Autolearn isn't on. I would have thought that would have given me a > performance boost. > > The config does have several blacklists by default. I haven't added > any. For example: > > # the black list. See /usr/share/doc/exim4-config/default_acl for > details. > deny > message = sender envelope address $sender_address is locally > blacklisted here. If you think this is wrong, get in touch with > postmaster > !acl = acl_whitelist_local_deny > senders = ${if exists{CONFDIR/local_sender_blacklist}\ > {CONFDIR/local_sender_blacklist}\ > {}} > > ditto for hosts. I do have a local_hosts_blacklist which has 1118 > lines in. Is this what you mean by remove the sa-blacklist? > > I had SA 3.0 running on a test system and I noticed this behaviour > before. It seemed to go away with V3.1. Problem is there isn't a > version of 3.1 in the stable distro of Debian just yet and I don't > want to use un-tested stuff on a production system. > > Thanx. > Dp. > > > These are some custom rulesets I have installed. > 70_sare_bayes_poison_nxm.cf > 70_sare_evilnum0.cf > 70_sare_evilnum1.cf > 70_sare_evilnum2.cf > 70_sare_header0.cf > 70_sare_header1.cf > 70_sare_header2.cf > 70_sare_header3.cf > 70_sare_html.cf > 70_sare_obfu0.cf > 70_sare_obfu1.cf > 70_sare_oem.cf > 70_sare_random.cf > 70_sare_specific.cf > 70_sare_unsub.cf > 70_sare_uri0.cf > 72_sare_redirect_post3.0.0.cf > 99_FVGT_Tripwire.cf > 99_sare_fraud_post25x.cf > anti_bayes.cf > bogus-virus-warnings.cf
