Spamassassin hanging/dieing

Gary Stainburn gary.stainburn at ringways.co.uk
Tue Jan 9 10:53:12 UTC 2007 

Hi folks.

I had a FC4 system running exim, clamd.exim and spamassassin. A over 
christmas/new year the server started hanging. 

I took the opportunity to move email to a separate server and built a new FC5 
system just for email.  I'm still using exim, clamd.exim and spamassassin, 
having installed everything from rpms, and copied over the exim.conf and 
local.cf from the old server.

It's still dieing on a regular basis. Looking at top, spamd processes seem to 
be hogging the machine, with clamd.exim processes coming a not very close 
second.

Both real and virtual memory look fine, but CPU usage goes to around 99.7%

I've not changed exim.conf in months, and haven't changed local.cf in a while.  
I've included it below.  All other files have not ben touched and as of the 
rpms.

(The auto_whitelist and auto_learn arn't working either, complainin about file 
permissions, but I don't think they're affecting performance - I could be 
wrong)
# These values can be overridden by editing ~/.spamassassin/user_prefs.cf 
# (see spamassassin(1) for details)

# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.

version_tag rgw_2.1.28
required_score 12
report_safe 1
rewrite_header Subject [SPAM]
whitelist_from *@ford.com unspam at ringways.co.uk
trusted_networks 127.
trusted_networks 10.
lock_method flock

auto_whitelist_path	/var/spool/spamassassin/auto-whitelist
auto_whitelist_file_mode   0666
auto_whitelist_factor   0.5
bayes_path		/var/spool/spamassassin/bayes
bayes_file_mode		0666
bayes_auto_learn_threshold_nonspam      1
bayes_auto_learn_threshold_spam         9.0

#use_dcc			0
#use_razor2		0
#score RAZOR2_CHECK	0
#score DCC_CHECK		0
#score PYZOR_CHECK	0


ok_locales	en

# rescore standard tests
score EXCUSE_3           	1
score FORGED_OUTLOOK_TAGS	2
score DRUGS_ERECTILE_OBFU	2.5
score HTML_OBFUSCATE_05_10	2.0
score NIGERIAN_BODY2		2
score DRUGS_ERECTILE		2.5
score MISS_SPELLED_DRUGS        6

# local tests

header __YG_STEAM	Envelope-to =~ /steam\@stainburn.com/
header __YG_LISTID	List-Id =~/yahoogroups.com/
meta YAHOOGROUP		(( __YG_STEAM + __YG_LISTID ) > 1)
describe YAHOOGROUP	A subscribed Yahoo Group
score YAHOOGROUP	-100

header PHARM		Subject =~ /ph*arm*ac*y/i
describe PHARM		Subject contains pharmacy
score PHARM		3

header NEWAC		Subject =~ /new account/i
describe NEWAC		Email looks to be a Phish
score NEWAC		2

header STOX		Subject =~ /(STOX|bad debt|got debt)/i
describe STOX		Subject contains the  bad keywords
score STOX		7

header GOOD_TLD		From=~/\.(com|co\.uk|org|org\.uk)[>, ]/
describe GOOD_TLD	TLD is a good one
score GOOD_TLD		0

header BAD_TLD		From=~/\.(tv|br|ru|ch|biz|info)[>, ]/
describe BAD_TLD	TLD not is a good one
score BAD_TLD		2

header LAKESIDE		Subject =~ /lakeside cafe/i
describe LAKESIDE	Email is from the Lakeside Cafe Thread
score LAKESIDE		9

header BADFROM		From=~/(michaelmoffet|emailfactory|247.info)/
describe BADFROM	From contains a known SPAMMER
score BADFROM		5

header STEVECUMMINGS	To=~/steve.cummings/i
describe STEVECUMMINGS	One of the targets is Steve Cummings
score STEVECUMMINGS	15

body  __LOTTERY_1	/\blottery\b/i
body  __LOTTERY_2	/\bticket\b/i
body  __LOTTERY_3	/\bdraw\b/i
body  __LOTTERY_4	/\bprize\b/i
body  __LOTTERY_5	/\bemail (address|id)\b/i
body  __LOTTERY_6	/\bballot\b/i
body  __LOTTERY_7	/\bwinning\b/i
body  __LOTTERY_8	/\bnotification\b/i
meta MYLOTTERY		((__LOTTERY_1 +__LOTTERY_2 +__LOTTERY_3 +__LOTTERY_4 
+__LOTTERY_5 +__LOTTERY_6 +__LOTTERY_7 +__LOTTERY_8 ) > 4)
describe MYLOTTERY	A possible Lottery scam
score MYLOTTERY		6

header MEDICA		Subject =~ /medica/i
describe MEDICA		Subject contains medical reference
score MEDICA		2

header	__TRADEMAIL_FROM From =~/TradeMail/
header	__TRADEMAIL_TO	To =~/TradeMail/
describe TRADEMAIL	SPAM email about available used cars
score TRADEMAIL		10 


# # Cheap software
# full __BODY_PHOTOSHOP	/\bphotoshop\b/i
# full __BODY_WINDOWS	/\bwindows\b/i
# full __BODY_OFFICE	/\b(microsoft|ms) office\b/i
# full __BODY_XP		/\bXP\b/i
# full __BODY_OFFICE	/\boffice\b/i
# full __BODY_OEM		/\boem\b/i
# full __BODY_CHEAP	/\bcheap\b/i
# full __BODY_OFFER	/\boffer\b/
# full __BODY_DOWNLOAD	/\bdownload\b/
# full __BODY_SOFT	/\bs[0o]ftware\b/
# full __BODY_LOW_PRICE	/\blow\s*(cost|price)\b/i
# full __BODY_VEND1	/\bmicrosoft\b/i
# full __BODY_VEND2	/\bnorton\b/i
# full __BODY_VEND3	/\bcorel\b/i
# full __BODY_VEND4	/\badobe\b/i
# full __BODY_VEND5	/\bmacromedia\b/i
# full __BODY_VEND6	/\bMS\b/i
# meta SOFTWARE_OFFER	
((__BODY_VEND1+__BODY_VEND2+__BODY_VEND3+__BODY_VEND4+__BODY_VEND5+__BODY_VEND6+__BODY_LOW_PRICE+__BODY_OEM 
+__BODY_CHEAP + __BODY_PHOTOSHOP + __BODY_WINDOWS +__BODY_OFFICE + __BODY_XP 
+ __BODY_OFFICE +__BODY_SOFT+ __BODY_DOWNLOAD +__BODY_OFFER) > 4)
# describe SOFTWARE_OFFER	email contains offer of cheap software
# score SOFTWARE_OFFER	12
# 
# bogus ebay
header __EBAY_FROM	From:addr=~/ebay.co/
header __EBAY_REC	Received=~/ebay.co/
meta   BOGUS_EBAY	(__EBAY_FROM && !__EBAY_REC)
describe BOGUS_EBAY	Bogus eBay message - Not from their server
score BOGUS_EBAY	8.0

# bogus paypal
header __PAYPAL_FROM	From=~/\@paypal.com[> ]*$/
header __PAYPAL_REC	Received=~/paypal.com/
meta   BOGUS_PAYPAL	(__PAYPAL_FROM && !__PAYPAL_REC)
describe BOGUS_PAYPAL	Bogus Paypal message - Not from their server
score BOGUS_PAYPAL	8.0


# bugus investment

body __INVEST_BODY	/investment/i
header __INVEST_HEAD	Subject =~ /invest/i
meta __INVEST		(__INVEST_BODY || __INVEST_HEAD )
body __OPORT_BODY	/oportunity/i
header __OPORT_HEAD	Subject =~ /oportunity/i
meta __OPORT		(__OPORT_BODY || __OPORT_HEAD)
meta INVESTMENT		(__OPORT && __INVEST)
describe INVESTMENT	Possible investment invitation
score INVESTMENT	8

header __STOCK_HEAD	Subject =~ /\bhot\b.*\bst[0o]ck\b/i
body __STOCK_BODY	 /\bhot\b.*\bstock\b/i
meta __STOCK		( __STOCK_BODY || __STOCK_HEAD)
body __SYMBOL		/S{1,2}(my|ym)b{1,2}o{1,2}l{1,2}:/i
body __PRICE		/P{1,2}r{1,2}i{1,2}c{1,2}e{1,2}:/i
meta __STOCK_QUOTE	(__SYMBOL && __PRICE)
meta INVESTMENT_2	(__STOCK || __STOCK_QUOTE)
describe INVESTMENT_2	reference to stock exchange symbol and price
score INVESTMENT_2	12
 
# if listed on >2 RBLs, less likely to be false, so increase score
meta MULTI_BL_LISTS	((URIBL_WS_SURBL+URIBL_JP_SURBL 
+URIBL_AB_SURBL+URIBL_WS_SURBL+RCVD_IN_XBL+RCVD_IN_BL_SPAMCOP_NET+RCVD_IN_SORBS_DUL+DNS_FROM_RFC_POST+DNS_FROM_RFC_ABUSE+RCVD_IN_NJABL_DUL+RCVD_IN_DSBL) 
> 1)
describe MULTI_BL_LISTS increase the score if in multiple RBL
score MULTI_BL_LISTS	 5

# if erectile drugs and *instant* or enhance
body __DRUGS_ENHANCE	/(enhance|improve|longer|harder|stamina)/
meta DRUGS_BETTER	(DRUGS_ERECTILE && __DRUGS_ENHANCE)
describe DRUGS_BETTER	Contains reference to improved performance
score DRUGS_BETTER	7.0

# # miss-spelled drugs
# full MISS_SPELLED_DRUGS	/(probecia|v.{1,5}gra|paxpl|v.lium|ci.lis|Letitra|
sema|merixia|xasax|ambiei)/i
# describe MISS_SPELLED_DRUGS	Contained obfusticated drugs (spelling wrong)
# score MISS_SPELLED_DRUGS	10.0
# 
#Ttip Ttop etc
body TIP_TOP		/t{1,2}i{1,2}p{1,2} {1,2}t{1,2}o{1,2}p{1,2} 
{1,2}e{1,2}q{1,2}u{1,2}i{1,2}t{1,2}i{1,2}t{1,2}i{1,2}e{1,2}s{1,2}/i
describe TIP_TOP	SPAM stock broker emails
score TIP_TOP		5.0

#PHAR*MACY
header PHARMACY		subject=~ /re: pha.{1,5}macy/i
describe PHARMACY	Obfusticated pharmacy subject.
score PHARMACY		12.0

header __WROTE_SUBJECT	Subject =~ /\b\w+\b wrote:/i
body __WROTE_STOCK	/Stock:/i
body __WROTE_SYM	/Sym:/i
body __WROTE_PRICE	/Price:/i
body __WROTE_SHORT	/Short Term Target:/i
body __WROTE_LONG	/Long Term Target:/i
body __WROTE_COMPANY	/Company:/i
meta SOMEONE_WROTE	
((__WROTE_PRICE+__WROTE_STOCK+__WROTE_SYM+__WROTE_SHORT+__WROTE_LONG+__WROTE_SUBJECT) 
> 3)
describe SOMEONE_WROTE	A Stock dealing SPAM
score SOMEONE_WROTE	12.0

header EQSE	Subject =~ /EQSE/
describe EQSE	EQSE stock quote
score EQSE	12.0

header FAKE_PILLS	Subject =~ /(fake|enhancement) pills/i
describe FAKE_PILLS	Selling (non)Fake enlargement pills
score FAKE_PILLS	12.0

body __GROW_JOHNSON	/(pen[i1]s|johnson|sausage|member|weenie|woody|muscle)/
body __GROW_LARGER	/(enlarge|larger|bigger|growth|longer|boost)/
META GROW_PILLS		((__GROW_JOHNSON+__GROW_LARGER) > 1)
describe GROW_PILLS	Offers pills to improve mens physique
score GROW_PILLS	5.0


body __PRICE_VIAGRA	/\bv[\w\d_]*ra\b \$ \d, \d\d/i
body __PRICE_VALIUM	/\bv[\w\d_]*um\b \$ \d, \d\d/i
body __PRICE_CIALLIS	/\bc[\w\d_]*is\b \$ \d, \d\d/i
body __PRICE_AMBIEN	/\ba[\w\d_]*en\b \$ \d, \d\d/i
body __PRICE_XANNAX	/\bx[\w\d_]*ax\b \$ \d, \d\d/i
META DRUGS_PRICE	
((__PRICE_VIAGRA+__PRICE_VALIUM+__PRICE_CIALLIS+__PRICE_AMBIEN+__PRICE_XANNAX) 
> 3)
describe DRUGS_PRICE	Drugs offered with prices
score DRUGS_PRICE	12.0

header WINDOWS_VISTA	Subject =~ /^Windows Vista.*download/
describe WINDOWS_VISTA	Offer of cheap copy of MS Windows Vista
score WINDOWS_VISTA	12.0

header __RE_RE		Subject=~/\bre:\b *$/i
body __RE_BLANK		/Content-Type: text\/plain \nContent-Transfer-Encoding: 7bit 
*\n *\n-----/
META	BLANK_EMAIL	((__RE_RE+__RE_BLANK) > 1)
describe BLANK_EMAIL	Email contains (almost) blank subject and blank plain 
text
score BLANK_EMAIL	8.0


-- 
Gary Stainburn
 
This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000

More information about the fedora-list mailing list