Good morning everybody, My name is Francesco, from ThyssenKrupp.
I'm mailing you for some suggestions about a problem which I find in my antispam system, based on spamassassin. My system has the following characteristics: - A two nodes cluster based, active-active, one for the incoming email and the other for the outgoing email. If a node crashes, the other brings the service on its shoulders. - Each node has 4GB RAM and two processors - O.S. Fedora core 3 - Mail server qmail 1.0.3 - Antivirus clamav 0.87.1 - Antispam spamassassin 3.0.4 - Cluster controller heartbeat - Interface qmail-scanner-queue.pl Starting from the 15th of July, I find, sometimes, in the log file of qmail-scanner-queue.pl the following alert instead of normal score: SA: finished scan in 600.010015 secs - hits=?/?. I have already searched on the official site of spamassassin and it seems to be generated by some kind of trouble using the web scansion. I really used pyzor and razor2 scansion, so I took them out from local.cf. This action caused the decrease of average processing time from 15 seconds to 3.5 seconds for each treated email. But I still have some kind of web search because the system is configured to use RBL search too, and I can't take it out. The time has been improved but the problem stays! I have to write and to upgrade a local configuration file, named local_rules.cf which has reached the dimension of 250KB it is very useful to stop a lot of SPAM which is not stopped by the other rules. The problem started to appear after one of the upgrade I usually have to do, which wasn't so dramatic to justify this behaviour, I think. Looking at my MRTG graphics I have noticed that the problem appears when the levels of system load and cpu usage are higher then usual but not the level of messages, which seems to be non influential. Someone told me that starting from middle of July a lot of public servers have been subject to attacks by crackers, and the attacks are still running. I really think that the problem is caused by the dimensions of the local configuration file, but every day I receive more than 15000 emails and the problem appears for no more than 50-60 emails! If you know the source of the problem or how to intervene to solve it I will be very grateful for your help. Thank you very much anyway. Best Regards Francesco Vincenti
