Spamassassin stopped working - I am drowning in SPAM!

5 posts / 0 new
Last post
#1 Tue, 07/01/2014 - 20:24
flameproof

Spamassassin stopped working - I am drowning in SPAM!

For unknown reasons Spamassassin stopped scanning incoming emails and one of my old POP boxes getting flooded with SPAM.

I am on a VPS CentOS 5.2 Webmin version 1.660
Virtualmin version 4.08.gpl GPL SpamAssassin version 3.3.1

When I do 'top' in putty I see spamd running.

Some outputs:

# rpm -qa | grep spamassassin
spamassassin-3.3.1-4.el5

ps aux | grep spamd
root     24171  0.0  0.1   1832   496 pts/0    S+   19:56   0:00 grep spamd
root     29953  0.0 13.6  45040 39888 ?        Ss   08:43   0:02 /usr/bin/spamd -d -c -m5 -H -r /var/run/spamd.pid
root     29999  0.0 12.8  45040 37752 ?        S    08:43   0:00 spamd child
root     30001  0.0 12.8  45040 37672 ?        S    08:43   0:00 spamd child

# spamd
Jul  1 19:52:20.222 [12277] warn: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.¹:783: Address already in use
[some line deleted]
Jul  1 19:52:29.242 [12277] error: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
spamd: could not create INET socket on 127.0.0.1:783: Address already in use

Update: This problem effects one pop mailbox only, others work fine and do get scanned. Spam handling is/was enabled in Virtualmin

What can I try next?

Tue, 07/01/2014 - 23:34
andreychek

Howdy,

You may want to review the email logs in /var/log/maillog to see what's going on when email from this particular user comes into the system.

It's also possible that the procmail logs in /var/log/procmail.log will have some useful information.

When looking at the headers of email coming into this account, do you see any with the name X-Spam-Status?

Lastly, just to verify -- if you go into Edit Virtual Server for this particular domain, is the "Spam Filtering" feature enabled?

-Eric

Wed, 07/02/2014 - 00:08
flameproof

Hi, the "Spam Filtering" feature is enabled for that domain. Other mailboxes in the same domain get checked and have the "X-Spam" line. The non working box gets only a "X-Original-To:" and no other X headers.

maillog from just now: (troubled box is 'CCL')

Jul  1 23:25:39 vps-323 dovecot: POP3(peggy.domain_01): Disconnected: Logged out top=0/0, retr=0/0, del=0/41, size=5884632
Jul  1 23:25:39 vps-323 dovecot: POP3(contact.minidisc): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Jul  1 23:25:39 vps-323 dovecot: POP3(jbeh.domain_03): Disconnected: Logged out top=0/0, retr=0/0, del=0/30, size=13235016
Jul  1 23:25:39 vps-323 dovecot: POP3(project.domain_03): Disconnected: Logged out top=0/0, retr=0/0, del=0/3, size=46638
Jul  1 23:25:39 vps-323 dovecot: POP3(peggy2.domain_03): Disconnected: Logged out top=0/0, retr=0/0, del=0/1, size=18511
Jul  1 23:25:39 vps-323 dovecot: POP3(jbeh.domain_01): Disconnected: Logged out top=0/0, retr=0/0, del=0/137, size=20637148
Jul  1 23:25:40 vps-323 dovecot: POP3(contact.domain_02): Disconnected: Logged out top=1/1637, retr=0/0, del=0/111, size=1630446
Jul  1 23:25:40 vps-323 dovecot: POP3(adwords.domain_03): Disconnected: Logged out top=0/0, retr=0/0, del=0/12, size=169259
Jul  1 23:25:40 vps-323 dovecot: pop3-login: Login: user=<admin.domain_03>, method=PLAIN, rip=::ffff:61.93.242.147, lip=::ffff:216.201.166.188
Jul  1 23:25:40 vps-323 dovecot: pop3-login: Login: user=<ccl.domain_01>, method=PLAIN, rip=::ffff:61.93.242.147, lip=::ffff:216.201.166.188
Jul  1 23:25:40 vps-323 dovecot: POP3(admin.domain_03): Disconnected: Logged out top=0/0, retr=0/0, del=0/68, size=197542
Jul  1 23:25:40 vps-323 dovecot: POP3(ccl.domain_01): Disconnected: Logged out top=0/0, retr=0/0, del=0/64, size=11353218
Jul  1 23:25:42 vps-323 dovecot: pop3-login: Login: user=<admin.domain_01>, method=PLAIN, rip=::ffff:61.93.242.147, lip=::ffff:216.201.166.188
Jul  1 23:25:42 vps-323 dovecot: pop3-login: Aborted login: user=<vps@xxx.com>, method=PLAIN, rip=::ffff:61.93.242.147, lip=::ffff:216.201.166.188
Jul  1 23:25:42 vps-323 dovecot: POP3(admin.domain_01): Disconnected: Logged out top=0/0, retr=0/0, del=0/73, size=10459252
Jul  1 23:25:51 vps-323 postfix/anvil[12035]: statistics: max connection rate 1/60s for (smtp:125.89.208.115) at Jul  1 23:23:49
Jul  1 23:25:51 vps-323 postfix/anvil[12035]: statistics: max connection count 1 for (smtp:125.89.208.115) at Jul  1 23:23:49
Jul  1 23:25:51 vps-323 postfix/anvil[12035]: statistics: max cache size 1 at Jul  1 23:23:49
Jul  1 23:25:52 vps-323 postfix/smtpd[18347]: connect from localhost.localdomain[127.0.0.1]
Jul  1 23:25:52 vps-323 postfix/smtpd[18347]: disconnect from localhost.localdomain[127.0.0.1]


// progmail
From DealershipLotClearance@newjulyautospecials.us  Tue Jul  1 22:49:12 2014
Subject: AUTO DEALS: Cars Priced-Below Kelly-Blue Book-Value
  Folder: /home/domain/homes/ccl/Maildir/new/1404272953.18136_1.vps-1    1527
Time:1404272960 From:DealershipLotClearance@newjulyautospecials.us To:ccl@domain.com User:ccl.domain Size:1605 Dest:/home/domain/homes/ccl/Maildir/new/1404272953.18136_1.vps-323.cp.com Mode:None
procmail: Program failure (-25) of "/usr/bin/spamassassin"
procmail: Rescue of unfiltered data succeeded

// progmail, same domain, but scan works:

From peggy@xxxc.com  Tue Jul  1 23:01:36 2014
Subject: Re: Reply: Re: Reply: Re: about the PE coated material
  Folder: /home/domain/homes/cindy/Maildir/new/1404273701.12235_1.v   18826
Time:1404273712 From:peggy@yyy.com To:sales1@joyfulfff.net User:cindy.domain Size:18887 Dest:/home/domain/homes/cindy/Maildir/new/1404273701.12235_1.vps-323.cp.com Mode:None
procmail: Program failure (-25) of "/usr/bin/spamassassin"
procmail: Rescue of unfiltered data succeeded
Wed, 07/02/2014 - 10:23
andreychek

Howdy,

I think this error is the key:

procmail: Program failure (-25) of "/usr/bin/spamassassin"

Though I'm not entirely certain what that is, it may be resource related.

Does this user have any sort of restriction on their resources, or number of processes they can run?

Also, does their account have disk quota space still available?

-Eric

Fri, 07/04/2014 - 02:36
flameproof

The quota in Virtualmin>Users is set to Automatic.

In Webmin > Disk Quotas it is set to unlimited.

I noticed large files in:

/home/domain/homes/ccl/.spamassassin

bayes_seen - 41.7Mb

/home/domain/homes/ccl/.razor

razor-agent.log - 51.2Mb

I am not sure about restriction on their resources. Need to add that my VPS has only 286Mb RAM and I sometimes run into problems i.e. updating Webmin.

Update: I deleted the razor-agent.log (after a backup) and spamassasin works again.

Do I need the "bayes_seen" ?

Update: Well, I deleted "bayes_seen" and it gets recreated starting from zero. So I guess I don't need it.

Topic locked