spamassassin eat 100% cpu!

[Mr.Yes]

2 or 4 times a day my server is in this situation, here is my top

19:22:59 up 1 day, 6:18, 1 user, load average: 12.75, 12.23, 7.73
217 processes: 200 sleeping, 15 running, 2 zombie, 0 stopped
CPU states: cpu user nice system irq softirq iowait idle
total 100.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%
Mem: 1027376k av, 1018076k used, 9300k free, 0k shrd, 255540k buff
778444k actv, 145556k in_d, 20704k in_c
Swap: 2096440k av, 108092k used, 1988348k free 318772k cached

PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
19120 popuser 25 0 26036 18M 1668 R 16.5 1.8 1:30 0 spamd
19214 popuser 25 0 26032 18M 1668 R 15.9 1.8 1:27 0 spamd
19222 popuser 25 0 25540 16M 1620 R 15.9 1.6 1:30 0 spamd
19360 popuser 25 0 24956 17M 1808 R 15.9 1.7 1:25 0 spamd
19378 popuser 25 0 24948 17M 1808 R 15.9 1.7 1:22 0 spamd
19414 popuser 25 0 24948 17M 1808 R 15.9 1.7 1:21 0 spamd
10415 apache 16 0 16032 13M 5348 S 3.1 1.3 0:05 0 httpd
21498 root 15 0 1120 1120 768 R 0.3 0.1 0:00 0 top
9596 apache 15 0 16832 11M 5300 S 0.1 1.1 0:03 0 httpd
1 root 15 0 496 468 440 S 0.0 0.0 0:04 0 init
2 root 15 0 0 0 0 SW 0.0 0.0 0:00 0 keventd
3 root 34 19 0 0 0 SWN 0.0 0.0 0:00 0 ksoftirqd/0
6 root 25 0 0 0 0 SW 0.0 0.0 0:00 0 bdflush
4 root 15 0 0 0 0 SW 0.0 0.0 0:01 0 kswapd
5 root 15 0 0 0 0 SW 0.0 0.0 0:18 0 kscand
7 root 15 0 0 0 0 SW 0.0 0.0 0:00 0 kupdated
8 root 25 0 0 0 0 SW 0.0 0.0 0:00 0 mdrecoveryd
16 root 25 0 0 0 0 SW 0.0 0.0 0:00 0 scsi_eh_0
19 root 15 0 0 0 0 SW 0.0 0.0 0:05 0 kjournald
481 root 15 0 0 0 0 SW 0.0 0.0 0:00 0 kjournald
482 root 15 0 0 0 0 DW 0.0 0.0 0:06 0 kjournald




Please help!

 

[admin123]

It's a sham!

And it's a sham!

 

[hardweb]

What version of spamassassin do you use?

 

[Mr.Yes]

Hi Hardweb

i'm on RHEL3 / Plesk 7.5.3 any suggestion?

thanx

 

[voodoochile]

Re: It's a sham!

Originally posted by admin123
And it's a sham!

And you're an idiot.


Generally if Spamassassin is eating up 100% of your CPU, this is an artifact of Disk IO moreso than Spamassassin itself. SA can be VERY disk intensive when processing emails if burdened with many at once, it sounds like one of your accounts/domains is getting flooded with email (legit or not, I do not know), and Spamassassin is killing the box inspecting each e-mail.

My guess is you're running this on a server with IDE/SATA drives and you've got a few high traffic domains. This is one reason as to why people use SCSI or a seperate controller card for their drives, usually that has the effect of offloading the read/writes from the CPU onto the controller card.

As much as I hate to say it, there's probabally not too much you can do right now. During these times of days when your server is getting hammered, do a 'tail -f /usr/local/psa/var/log/maillog' and see exactly what's going on. If it's one domain in question getting flooded, I'd send them somewhere else and save the rest of your box. If it's one particular e-mail address, you may just reject all mail to this address (DO NOT BOUNCE IT, THIS WOULD BE BAD).

Or spend and arm and a leg and changeup your server hardware config a bit.

 

[admin123]

Why, i'll....

Pound you with my idiot fists I will!

 

[Mr.Yes]

Hi,

my box is 3 x scsi 10.000 raid 5, my relay setting is close, and i use MAPS protection (relays.ordb.org;bl.spamcop.net;list.dsbl.org).

Is there any way to kmow what's going on exactly when my problem comes? what mail accounts spamd is processing in that moment? or other usefull infos to fix my problem?

All suggestions are welcome

thanx

 

[voodoochile]

Hrm, if it's SCSI it's most certainly not Disk IO. It may be the maps lookups, although I'm not for sure. I seem to recall somewhere reading about those being somewhat intensive (not sure on this though). You might try disabling them and see what happens.

Do you have any statistics on how much mail you deal with in a day? How many domains you got on this box?

 

[Gorgon@]

SA is very resource intensive; especially with CPU and RAM. If you're low on RAM then your swap maybe getting killed and causing the disks to thrash. So I would first recommend checking out the memory situation.

Another option is to turn off 'network' checks. SA will check the RBL lists, DCC and razor (if configured that way). SA will be less effective but do much less wear and tear on the system.

If you have this option, consider running SA on a it's own server. I'm not sure how that'll mesh in with plesk though. We're not using SA with plesk here.

Hope this helps,
M

 

[Mr.Yes]

Originally posted by Gorgon
SA is very resource intensive; especially with CPU and RAM.

Another option is to turn off 'network' checks.

Hope this helps,
M

Hi i have 1 Gb RAM.
How to disable network check ?

When spamd kill my cpu, i always see that 1 domain is always there, so i check it out this domain and saw that it recieveing the same e.mail for 30/40 times, these mail have hundreds of address in CC and the most strange thing is that all these mail are sent to an unknown user but real domain of my client ( ex: [email protected]) ... maybe is a bounce problem? how can i fix it?


thanx

 

[Gorgon@]

Hi i have 1 Gb RAM

Generally that should be enough unless you're doing hundreds of checks/second.

How to disable network check ?

In your local.cf file add these lines:

use_dcc 0
use_pyzor 0
use_razor2 0
skip_rbl_checks 0

This will turn off the network related checks.

When spamd kill my cpu, i always see that 1 domain is always there, so i check it out this domain and saw that it recieveing the same e.mail for 30/40 times, these mail have hundreds of address in CC and the most strange thing is that all these mail are sent to an unknown user but real domain of my client ( ex: [email protected]) ... maybe is a bounce problem? how can i fix it?

If you're saying that the same message is addressed to many people, it should only get scanned once, not 30-40 times. This may be a problem in your MTA settings. I know very little about qmail so I cannot really help if this is the case.

But if the recipient doesn't exist, the message should be rejected before it even gets to SA. Look at the Mail settings for that domain and make sure 'Reject' is set in the options.

Hope this helps,
M

 

[jamesyeeoc]

Yes, too bad they don't default it to 'reject' for unknown recipients....

It would also not hurt to configure Qmail control files as well for reducing queue times, bouncing, and such:

http://forum.plesk.com/showthread.php?threadid=12197&highlight=double+bounce

It's an old thread from Plesk 6 days, but the info on setting up the qmail control files is still valid.

Receiving emails to valid domains, but unknown users is quite common these days due to spammers, zombies, worms, etc. The trick is to keep on top of your server to keep the aftereffects to a minimum.

 

[atomicturtle]

I'd also look at the amount of L2 cache on your CPU, spamassassin and other perl apps will greatly benefit from high amounts of cache. For example my primary mail server is a dual P3-1000 with 2MB of cache per CPU, it consistantly outperforms a quad xeon with twice the ram (but half the cache), and much faster SCSI disks by 3 to 1.

Also watch your logs to see how long each message is taking to process by spamd, my mail server handles around 200,000 messages a day and takes at the max 3 seconds per message. Most of the time it runs in the .2-.5 second range. (I also use razor, dcc, pyzor and rbl in SA). If its extremely high, say in the 5-10 second range, check your /etc/resolv.conf and make sure: nameserver 127.0.0.1 is listed first.