exim: dropping spam based on score threshold?

[SoftDux]

How would I allow all users to edit their own score? Let''s say I create this rule as a default in cPanel, and it appears in all users' cPanel as a mail filter rule. How would I do that?

[sparek-3]

This should work for e-mail forwarders and also for mail sent out through the server. I did also run some tests and this does appear to be the case (although very limited tests). This is because any e-mail that comes into the server (whether it is being sent out or being received from another SMTP server) would be checked for spam. After the DATA command and after the message is completed, the message is scanned for spam. If the SpamAssassin score is above the limit, then the message is rejected and not accepted. This means that if a user sends a message with their e-mail client through the server and it is detected as spam, the user should receive an error stating that the message did not get sent. Likewise, in the case of an e-mail forwarder, the message is rejected before it is accepted on the server and forwarded on to the forwarded address.

I can see where this would have real promise in helping with e-mail forwarder spam as well as sending spam and just generally any spam. I haven't yet implemented this, I am still running some tests and I am keeping an eye on this thread for user experience.

[innsites]

Am very pleased with the results.

Just to clarify.......my ACL edit looks like this below. I learned I had to move the accept line below the new addition and then it worked like a charm!

deny message = Spam score too high ($spam_score)
spam = mailnull:true/defer_ok
condition = ${if >{$spam_score_int}{150}{1}{0}}
accept

[nxds]

I have been running this for a while, mostly with great success. However, I have noticed on a few servers that the spamd process can end up consuming a very large amount of memory resulting in high loads and bad response times.

One strange thing was that this jump in memory consumption was only happening on 2 out of 6 servers even though they are all identically configured. I didn't get to the bottom of this, but I've just noticed that another server has gotten the memory problem so I think it may be triggered by specific message content.

Does anyone have any more information on what causes spamd to eat so much memory and how to fix it?

In the meantime, as a workaround, I am running a cron job every 2 minutes to check the memory consumption of spamd. If the total is above 300MB I send a sighup to force new children to be started. Here's the code:

Code:

#!/bin/sh
#Restart spamd if sum of process sizes > 300MB
ps aux | awk '/[s]pamd/ {sum += $5} END {if (sum > 300000) {exit 1}};' || pkill -HUP spamd

[innsites]

I notice that my load average doubled with this code in use, but it has denied 6,870 pieces of "too high" (greater than 15 score) mails in a 12 hour period.

Thanks for that workaround tip. I may put it into action.

[nxds]

Just to clarify, I'm talking seriously high loads like 16+ caused by memory starvation. Loads of less than 2 or less I can handle.

[sparek-3]

The high loads would be understandable because it runs spamassassin on every message that reaches the server. If the message is accepted, spamassassin would be called again if the user has spamassassin enabled on their domain and the message would be scanned again.

Just to clarify, I'm talking seriously high loads like 16+ caused by memory starvation. Loads of less than 2 or less I can handle.

Do a lot of your accounts make use of their default box? If you have a lot of accounts on your server that have their default box set to something other than :fail: then this would scan those messages as well. I suspect that this would contribute quite a bit to the increase spamassassin memory usage.

[nxds]

Hi, it's not so that I'm checking a lot of messages, rather than the spamd children getting extremely fat (300MB) which causes the system to start thrashing to swap because of the lack of RAM. The spamd processes hang around serving new requests so they don't get any smaller; the only cure I've found is to sighup them so new light weight children get born.

What intrigues me is that this happens a lot on a couple of servers whereas other, more busy and identically configured servers don't get the problem. On the well behaved systems, the spamd children remain in the 10-40M range. I can't figure out what causes it this, (some memory leak or memory hungry rules triggered by specific messages?) but the sighup workaround keeps the servers load in check.

Of course, I also reject a lot of messages with RBL checks, and I also reject messages where the account has reached it's quota limit so I'm not spam scanning everything that attempts to talk to my mail server.

[forlinuxsupport]

The high loads would be understandable because it runs spamassassin on every message that reaches the server. If the message is accepted, spamassassin would be called again if the user has spamassassin enabled on their domain and the message would be scanned again.

Hmm. I found that too..

So all messages are being scanned twice.. pity.

Anyone know how to get this to work ONLY for accounts that actually have spamassassin enabled ?
and then how to make it scan only once ?

Its a great hack (um fix) , but my loads are just getting too high now !!

I'm thinking of trying the MailScanner route next to see how that copes.

Regards
Andy

[devourer]

I'm using the MailScanner add-on myself. This works really good for me. I also installed MailWatch for MailScanner. With this php program you can teach bayes. I trained bayes well, use a few good SARE rules with it and got nearly 100% spam filtering. Only thing is bandwith. MailScanner accepts all messages @ SMTP level and then scans. So its not rejected but just filtered out of the users mailbox..

[forlinuxsupport]

hey

MailScanner has definitely made an impact with reducing the load. Previously the server had a really high load, now it seems to manage with the occasional peak.

Cheers
Andy