PDA

View Full Version : Help! Spamassassin and clamscan are going crazy!

spuppy
17th September 2007, 04:36
I noticed that my server load was at 11.xx, so I ran top to see what was causing it...

Spamassassin and clamscan are running 5-10 processes, each taking 25-30% CPU!

I did some searching on the forum, and people talked about clamd, clamav, clamassassin.. it is all so confusing to me. I don't think switching is the solution here, there is obviously simply something broken here. I am only running about 10 sites, and they don't get THAT much spam.

Please help, thanks :)

I disabled antivirus on all of the email accounts, so clamscan is no longer causing a problem. However, spamassassin is still there, and even though I stopped the service (spamassassin stop), it is still running several of them, each using 20-30% CPU! I stopped postfix, and it's OK now. But obviously postfix needs to be running ;)
spuppy
17th September 2007, 05:28
Holy ****

I just checked the inboxes of my email accounts.. I think this MIGHT be related.

In each email account, there are about 5000 of these emails:

This is the mail system at host thorzor.hcwnetwork.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<admispconfig@localhost.localdomain.hcwnetwork.com>: mail for
localhost.localdomain.hcwnetwork.com loops back to myself

Included are two attachments:

Delivery report.dat

Reporting-MTA: dns; thorzor.hcwnetwork.com
X-Postfix-Queue-ID: D192E31881D9
X-Postfix-Sender: rfc822; web7_admin@thorzor.hcwnetwork.com
Arrival-Date: Sun, 16 Sep 2007 12:56:58 -0700 (PDT)

Final-Recipient: rfc822; admispconfig@localhost.localdomain.hcwnetwork.com
Original-Recipient: rfc822;admispconfig@localhost.localdomain.hcwnetwo rk.com
Action: failed
Status: 5.4.6
Diagnostic-Code: X-Postfix; mail for localhost.localdomain.hcwnetwork.com loops
back to myself


And one called Mailsize_web7_username.eml:

Received: from thorzor.hcwnetwork.com (localhost.localdomain [127.0.0.1])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by thorzor.hcwnetwork.com (Postfix) with ESMTP id D192E31881D9
for <admispconfig@localhost.localdomain.hcwnetwork.com>; Sun, 16 Sep 2007 12:56:58 -0700 (PDT)
Received: (from web7_admin@localhost)
by thorzor.hcwnetwork.com (8.13.8/8.13.8/Submit) id l8GJuw36002051
for admispconfig@localhost.localdomain; Sun, 16 Sep 2007 12:56:58 -0700
Date: Sun, 16 Sep 2007 12:56:58 -0700
From: admin <web7_admin@thorzor.hcwnetwork.com>
Message-Id: <200709161956.l8GJuw36002051@thorzor.hcwnetwork.com>
X-Loop: web7_admin@localhost.localdomain
Subject: Mailsize: web7_admin
To: undisclosed-recipients:;

2900
till
17th September 2007, 10:49
Add the line:

localhost.localdomain.hcwnetwork.com

at the end of the file:

/etc/postfix/local-host-names

and restart postfix.

By the way, this has been explained around hundred times here in the forum, so please search the forum first before you post a question :)
spuppy
17th September 2007, 11:25
Trust me, I have done plenty of searches. I did not come across this solution.

Now is there an easy way to clear out all these emails from all the accounts? I have about 10 email accounts, and each has about 9000 copies of this email...

EDIT: There was a file called local-host-names~. I guess it backed itself up. I'm sure this must be related to the same problems I was having with my /etc/group file disappearing.

Thanks!
spuppy
17th September 2007, 11:40
OK so the error of 3000 emails being created every hour has been fixed. However, Spamassassin is still using WAY too many resources.. I believe something is still broken. Any ideas?
spuppy
17th September 2007, 12:02
UPDATE: Actually, the problem is still occuring. Thousands of these emails are being created. Help Please!!!
spuppy
17th September 2007, 17:29
Last update before I go to bed: I moved the line

localhost.localdomain.hcwnetwork.com

to the top of that file, instead of the bottom. That appears to have worked, as spamassassin is no longer running at 100% full time, and it is no longer making thousands upon thousands of duplicate emails.

Not sure how it would make a difference, but there you go :)

If someone can suggest how I can delete all of the emails without having to download them, please let me know!

Thanks :)
catdude
21st September 2007, 21:13
Last update before I go to bed: I moved the line

localhost.localdomain.hcwnetwork.com

to the top of that file, instead of the bottom. That appears to have worked, as spamassassin is no longer running at 100% full time, and it is no longer making thousands upon thousands of duplicate emails.

Not sure how it would make a difference, but there you go :)

If someone can suggest how I can delete all of the emails without having to download them, please let me know!

Thanks :)

Moving it to the top of the file instead of the bottom shouldn't necessarily make a difference in operation. It will, however have one very important effect: the next time you make a change to any customer config with ISPConfig, the local-host-names file will get recreated without that entry in it.

If you look at that file, near the bottom is a line reading:
#### MAKE MANUAL ENTRIES BELOW THIS LINE! ####

Changes you make to the file (that is, lines that you add to the file) below this line will be propagated to the new file when it gets rebuilt. Any manual changes that you make to the file above that line will be lost.

In any case, the "mail loops back" error is generally caused by not having your local host name in the local-host-names file.
catdude
21st September 2007, 21:21
If someone can suggest how I can delete all of the emails without having to download them, please let me know!

Thanks :)

If the 10 mailboxes in question have nothing but the error messages in them, you can just delete the entire contents of the appropriate Maildirs.

Assuming for a moment that all of the mailboxes are within the same domain, you could try something like this to kill off only those messages containing the phrase "loops back":

cd /var/www/www.<the domain name>/user
for file in `find . -exec grep "loops back" {} \; -print`
do
echo Killing off $file
rm $file
done

NOTE: This script is not tested! Use at your own risk! Be sure to test/analyze before running.
spuppy
22nd September 2007, 04:28
Moving it to the top of the file instead of the bottom shouldn't necessarily make a difference in operation. It will, however have one very important effect: the next time you make a change to any customer config with ISPConfig, the local-host-names file will get recreated without that entry in it.

If you look at that file, near the bottom is a line reading:
#### MAKE MANUAL ENTRIES BELOW THIS LINE! ####

Changes you make to the file (that is, lines that you add to the file) below this line will be propagated to the new file when it gets rebuilt. Any manual changes that you make to the file above that line will be lost.

In any case, the "mail loops back" error is generally caused by not having your local host name in the local-host-names file.
When I added it to the bottom line, it did not work... So it appears I don't have a choice in the matter.
till
22nd September 2007, 13:12
It must work when you put it at the bottom. I'am setting up ISPConfig systems daily and it always works for me by putting the line at the end of the file. Maybe you had a typo. Adding it at the beginning of the file is not a solution as catdude pointed out.