The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need to reduce Resource usage by RVSkin Exiscan

Discussion in 'General Discussion' started by justhost, Jan 26, 2006.

  1. justhost

    justhost Well-Known Member

    Joined:
    Sep 2, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Halifax, Nova Scotia
    Hello

    I am using the RVSkin Exiscan setup (http://www.rvskin.com/index.php?page=public/antispam) on a Linux box and spamd is overloading server so much that pop keeps timing out. I need to either finad an alternative or find better alternative options?

    The server is a Dual Xeon 2.8 with 4GB of RAM. Running most up to date Stable CPanel.

    The following are a sample day for Mail Statistics:

    Exim statistics from 2006-01-25 06:01:33 to 2006-01-26 09:21:57

    Grand total summary
    -------------------
    At least one address
    TOTAL Volume Messages Hosts Delayed Failed
    Received 419MB 6236 1197 415 6.7% 231 3.7%
    Delivered 589MB 7574 468

    These really are not all that high? Are they?

    But during the peak hours of the day (ie 10:30AM - 2PM) pop3 is contiinuously timing out and failing. spamd I know is a resource hog but definitely works. I am really not sure what else to do....I cant really upgrade much more....I mean 4GB of RAM ...Dual Xeon...

    I have used Chirpys Mailscanner and although it worked awesome it was even more of a resource hog that my current setup.

    Does anyone have any suggestions? I am at the point that today I am going to have to remove spamd for the peak usage hours.

    Thank you.
     
  2. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
    First, it is not RV Skin exiscan. I don't want user be confused.

    I have an experiment Auto Black List script to automatically blacklist server IP address if the spam score higher at specific level. Only this save my spamd process for 8,000 email / server / day. However my server is frequently overload. So I cannot conclude that it do help. But according to the number above, it should save a lot. You may try on it and let's me know the result.

    1. Download the attached file and save as /etc/eximSpamDeny.pl on your server.
    2. Run the following command:
    mkdir /etc/eximSpam
    touch /usr/local/cpanel/base/eximacl/rv_server_ip_blacklist.abl
    chown mailnull:mail /etc/eximSpam /usr/local/cpanel/base/eximacl/rv_server_ip_blacklist.abl /etc/eximSpamDeny.pl
    chmod 700 /etc/eximSpam /usr/local/cpanel/base/eximacl/rv_server_ip_blacklist.abl /etc/eximSpamDeny.pl

    3. set cron to run /etc/eximSpamDeny.pl every 5 minutes
    crontab -e
    */5 * * * * perl /etc/eximSpamDeny.pl > /dev/null 2>&1
    It will clear the temporary file that in /etc/eximSpam

    4. Edit your EXIM configuration. If you follow the guildline on my website, under acl_check_host (the second box in the WHM exim configuration). Add the bold configuration on yours.

    acl_check_host:

    ##
    # Reject email sent from mail server IP listed in the blacklist
    ##
    deny message = Connection is permanent denied
    hosts = /usr/local/cpanel/base/eximacl/rv_server_ip_blacklist


    ##
    # Reject email sent from mail server IP listed in the blacklist
    ##
    deny message = Connection temporary denied from $sender_host_address after spam attack
    hosts = /usr/local/cpanel/base/eximacl/rv_server_ip_blacklist.abl
    !hosts = @[]
    !hosts = +rv_relay_hosts


    At the spam ACL add the bold configuration on yours.

    deny message = Spam score too high ($spam_score)
    spam = mailnull:true/defer_ok
    # If emails get high score coming into the server from the same host address
    # more than 3 times within Last 60 seconds. Sender's server will be blocked for 1 hours
    condition = ${run{/etc/eximSpamDeny.pl $sender_host_address $spam_score_int $sender_address }{yes}{yes}}
    condition = ${if >{$spam_score_int}{150}{1}{0}}
     

    Attached Files:

    #2 rvskin, Jan 26, 2006
    Last edited: Mar 19, 2006
  3. justhost

    justhost Well-Known Member

    Joined:
    Sep 2, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Halifax, Nova Scotia
    Thank you.

    I will look at implementing this tonight. I have turned spamd off for the peak hours today. I dont want to do anything that could jeapardize the mail until tonight.

    I will let you know how it goes.
     
  4. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
    Here is my stat on a Xeon 2.40GHz (HT), 2G RAM server on 2006-01-27.

    =======================
    Total email blocked: 23,872
    =======================
    grep -E 'is blocked|spam attack|dictionary attack|Hacked HELO|Forged HELO|Bad HELO|dsbl\.org|spamhaus\.org|ordb\.org|unknown user|If you meant to send this file|virus or other harmful|Spam score too high' /var/log/exim_mainlog | grep '2006-01-27' | wc -l

    Spam mail blocked by manual blacklist sender at the SMTP time: 272
    grep 'is blocked' /var/log/exim_mainlog | grep 'Sender' | grep '2006-01-27' | wc -l

    Spam mail blocked by manual blacklist host address at the SMTP time: 0
    grep 'is blocked' /var/log/exim_mainlog | grep 'Host' | grep '2006-01-27' | wc -l

    Spam mail blocked by Auto black list SA high score (above script) at the SMTP time: 6,494
    grep 'spam attack' /var/log/exim_mainlog | grep '2006-01-27' | wc -l

    Spam mail blocked by Auto black list after dictionary attack the SMTP time: 343
    grep 'dictionary attack' /var/log/exim_mainlog | grep '2006-01-27' | wc -l

    Spam mail blocked by invalid HELO at the SMTP time: 4,137
    grep -E 'Hacked HELO|Forged HELO|Bad HELO' /var/log/exim_mainlog | grep '2006-01-27' | wc -l

    Spam mail blocked by RBL at the SMTP time: 3,036
    grep -E 'dsbl\.org|spamhaus\.org|ordb\.org' /var/log/exim_mainlog | grep '2006-01-27' | wc -l

    Spam mail blocked by setting default address to :fail: at the SMTP time: 2,395
    grep 'unknown user' /var/log/exim_mainlog | grep '2006-01-27' | wc -l

    Spam mail blocked by illegal File extension at the SMTP time: 532
    grep 'If you meant to send this file' /var/log/exim_mainlog | grep '2006-01-27' | wc -l

    Spam mail blocked by Virus scanner at the SMTP time: 909
    grep 'virus or other harmful' /var/log/exim_mainlog | grep '2006-01-27' | wc -l
    grep -E 'SPAM\.' /var/log/exim_mainlog | grep '2006-01-27' | wc -l

    Spam mail blocked by SA at the SMTP time: 5,754 -121 = 5,633
    grep -E 'Spam score too high' /var/log/exim_mainlog | grep '2006-01-27' | wc -l
    minus with
    grep 'discarded: Spam score' /var/log/exim_mainlog | grep '2006-01-27' | wc -l

    Spam mail discared by SA high score (12-15) after recieve emai: 121
    grep 'discarded: Spam score' /var/log/exim_mainlog | grep '2006-01-27' | wc -l


    NOTE: My SA is running RAZOR, DCC, Pyzor, SARE, Custom SA rules, my own SURBL.
     
  5. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    suppose I want to block the spammer for 8 hours instead of 1 hour

    I changed

    &deleteFile($time, '/usr/local/cpanel/base/eximacl/rv_server_ip_blacklist.abl', 60*60);

    with

    &deleteFile($time, '/usr/local/cpanel/base/eximacl/rv_server_ip_blacklist.abl', 60*60*8);

    Is it enough ?
     
  6. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
    Yes, it is.
     
  7. webadmin

    webadmin Member

    Joined:
    Aug 27, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    didnt find any directory named eximacl under /usr/local/cpanel/base
    so couldnt able to touch the following

    touch /usr/local/cpanel/base/eximacl/rv_server_ip_blacklist.abl
    can you help me
     
Loading...

Share This Page