Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Are we getting hit with massive amount of spam?

  1. #1
    Join Date
    Sep 2007
    Posts
    38
    Rep Power
    8

    Smile Are we getting hit with massive amount of spam?

    - Message Count last 48 hours 300,000+ (mta_count(msg)). This is usually in the 7,500 range.
    - Message Volume last 48 hours 4,500,000,000 (mta_volume (bytes)).
    - Anti-Spam/Anti-Virus Activity last 48 hours 250,000+. Usually below 10,000 - more like ~2,000.

    All swap gets consumed. Load averege 60.00+ - server becomes unresponsive.


    It seems that when I start the postfix it starts feeding the email to amavisd and that's what uses all the resources.
    (Upgraded to 6.0.7_GA_2473.UBUNTU6, but still can't start the system without getting it stuck again.)

    Is there a way to limit the resources amavisd uses?
    Where to look if it's single email address/domain that gets all this email?
    Any tips to get this sorted?

    Thank you.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    You'll find details in the /var/log/zimbra.log for incoming messages. I assume you're using the Discarding Emails Sent to Invalid Addresses optione mentioned in the wiki and some good RBLs? I'd suggest you block port 25 for the time being so you don't continue to receive email. You can also use the postsuper command to completely remove the mail from the queues but you may lose valid mail using that brute force technique, there's also a script on that page that you may be able to adapt to selectively remove mail.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Sep 2007
    Posts
    38
    Rep Power
    8

    Default

    Quote Originally Posted by phoenix View Post
    Does that work if there's some domains with catch-all account?

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by wdman View Post
    Does that work if there's some domains with catch-all account?
    No, it doesn't and a catch-all account is a spammers dream. Because you have a catch-all account you will get every message sent to the server, I never recommend catch-all accounts (except in limited circumstances) for this very reason - I would recommend you seriously consider getting rid of the catch-all.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Sep 2007
    Posts
    38
    Rep Power
    8

    Default

    Quote Originally Posted by phoenix View Post
    You'll find details in the /var/log/zimbra.log for incoming messages.
    Starts today (24th Jun) and /var/log/zimbra.log.0 contains only (20th Jun).


    Quote Originally Posted by phoenix View Post
    I'd suggest you block port 25 for the time being so you don't continue to receive email.
    Did this and zmcontrol start - the server gets jammed again - hmmm.
    Last edited by wdman; 06-24-2010 at 02:09 PM.

  6. #6
    Join Date
    Sep 2007
    Posts
    38
    Rep Power
    8

    Default

    Added few RBLs. And checked the following two from the web admin.
    [x] Client must greet with a fully qualified hostname (reject_non_fqdn_hostname)
    [x] Sender's domain (reject_unknown_sender_domain)


    Changed the max_servers (amavisd.conf amavisd.conf.in)
    #$max_servers = 10; # number of pre-forked children (2..15 is common)
    $max_servers = 2; # number of pre-forked children (2..15 is common)

    Changing the max_servers to 2 helped a little. amavisd still uses much resources.
    top ...
    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    18076 zimbra 25 0 2918m 2.8g 3544 R 98 71.3 1:46.15 amavisd
    and
    31827 zimbra 25 0 1085m 1.0g 2588 R 100 25.6 0:37.05 amavisd

    The port 25 is blocked with iptables (ecxept for 127.0.0.1 and the servers IP).
    Mail queues shows 2 deferred and 14 Active. Is there a amavis queue somewhere? Or other queues than the one that the Zimbra web admin shows?

  7. #7
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by wdman View Post
    Mail queues shows 2 deferred and 14 Active. Is there a amavis queue somewhere? Or other queues than the one that the Zimbra web admin shows?
    No, they're the only queues in the system. Are you going to remove the catch-all or does it serve some specific purpose in your environment?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    Join Date
    Sep 2007
    Posts
    38
    Rep Power
    8

    Default

    Quote Originally Posted by phoenix View Post
    Are you going to remove the catch-all or does it serve some specific purpose in your environment?
    I'm considering this - yes it does server a specific purpose. All of these email addresses are filtered to their folders and only leaked emails are blocked. Meaning I'm using unique addresses for each web service - like if this forum (zimbra.com/forums) would get compromised I would update the email on this board and then block the leaked email. So far it has worked great for years.

    I guess I could point this domain with the catch-all to some other email server and then fetch the emails to Zimbra - not sure if the sieve filters would work tho (which are really important because of the email to specific folder filtering) - any idea?


    Is there a way to find all addresses for a specific domain that has received email? (This way I guess I count stop using the catch-all and add all of these as aliases)


    Would removing the catch-all help amavis now that the server doesn't get new email - all the email are in the system/queue?


    Thank you for your help.

  9. #9
    Join Date
    Sep 2007
    Posts
    38
    Rep Power
    8

    Default

    Ideal solution for now would be use the "Discarding Emails Sent to Invalid Addresses" and exclude the one domain with catch-all - is this possible?

  10. #10
    Join Date
    Sep 2007
    Posts
    38
    Rep Power
    8

    Default

    Quote Originally Posted by phoenix View Post
    No, they're the only queues in the system.
    Hmmm - if the server doesn't get new email because of the blocked port 25 - then where does the queues get new email?

Similar Threads

  1. Most of mails showing SPAM & discarded
    By siw919 in forum Administrators
    Replies: 27
    Last Post: 01-12-2010, 12:53 PM
  2. Weird behaviors and LOTS of spam.
    By zwvpadmin in forum Administrators
    Replies: 7
    Last Post: 01-02-2009, 09:26 AM
  3. spam - ham training
    By Viking0 in forum Administrators
    Replies: 6
    Last Post: 12-02-2008, 12:07 PM
  4. Major SPAM to one account
    By CarputerTech in forum Administrators
    Replies: 4
    Last Post: 09-04-2008, 10:54 PM
  5. Spam being scored with BAYES_00
    By flyerguybham in forum Administrators
    Replies: 6
    Last Post: 04-24-2007, 12:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •