Amavis stopping
Paul R. Ganci
ganci at nurdog.com
Wed Jun 28 03:44:30 CEST 2017
I have had the same problem which has recently begun maybe 10 days or so
ago. I have managed to track it down to two particular emails that are
definitely spam and have created a Amavis DoS attack situation.
Basically the symptom appears to be that all 6 of the Amavis processes
on the server end up taking up 100% of the 6 processors assigned for
spam detection. The Amavis processes attempt to scan these messages and
never complete. As a result any other email gets "stuck" in the mailq
and hence the postifx error message that you mention appears in the
maillog file.
The only way I have managed to fix this problem is to move all the email
out of the Postfix mail queue, restart Amavis and then start
re-submitting the mail back into the queue. That is how I found which
spam emails were causing the DoS attack on the Amavis daemon. These
emails originated mostly from Amsterdam, France and Enihosting.com here
in the US. I have blocked the hosts from which these emails have
originated and have been okay since. I also have created a hourly cron
job to restart Amavis and then flush the Postifix mailq which seemed to
help a bit but did not completely stop the problem
What I would really like to know is what in these messages is causing
the 100% CPU usage and the subsequent DoS situation. I have the emails
handy if that would help but are there any suggestions as to how to
configure Amavis to avoid situations like a combinatorial explosion (no
I am not using my own spamassassin rules) mentioned in the other thread
(Amavis 100%)? I would even consider a timer... Give a Amavis process a
5 minute CPU limit and then just deliver the message is a better
situation than having thousands of messages queued up because all the
Amavis processes are running at 100% CPU for hours on end in my case.
I realize this is kind of general but people might have suggestions as
to Amavis configuration which can at least avoid the problem which
pretty much has shutdown my two email servers twice over the last couple
of weeks. I am also willing to provide the two culprit emails to anyone
who might like to look them over. In the meantime I might try raising
the debug level and running strace as suggested in the previously
mentioned thread... in principle I just need to re-submit one of the
offending messages. Any other ideas are welcome. Thanks.
--
Paul (ganci at nurdog.com)
cell: (303)257-5208
More information about the amavis-users
mailing list