another DoS on 2.64?

[Vermyndax <ve...@red-abstract.com>]

Is there perhaps another DoS on SA 2.64?  I just happened to come in and
write myself and reminder and discovered my mail server acting *very*
slow.  There were about 15 spamd processes, one of which was taking 22
minutes of CPU time...

Relevant log line:

Aug 18 00:27:11 denizi spamd[16780]: connection from
denizi.red-abstract.com [127.0.0.1] at port 38914
Aug 18 00:27:22 denizi spamd[4236]: info: setuid to cyoung254 succeeded
Aug 18 00:28:53 denizi spamd[4236]: processing message
<10...@storefull-3155.bay.webtv.net> for cyoung254:1012.
Aug 18 00:34:57 denizi spamd[16780]: connection from
denizi.red-abstract.com [127.0.0.1] at port 39268
Aug 18 00:34:58 denizi spamd[4236]: Pyzor -> check failed: Cannot
allocate memory
Aug 18 00:34:58 denizi spamd[16780]: cannot fork: Cannot allocate memory
Aug 18 00:35:00 denizi spamd[4236]: DCC -> check failed: Cannot allocate
memory

Funny thing is, the memory usage is quite low:

               total       used       free     shared    buffers     cached
Mem:        385624      54272     331352          0       1776      10056
-/+ buffers/cache:      42440     343184
Swap:      1048816     136208     912608

...and uptime produced:

denizi root # uptime
   00:46:06 up 9 days, 11:38,  2 users,  load average: 27.84, 20.96, 17.85

Whut in da werld is hapnin!?

--JM

-- 
http://blogs.galaxycow.com/vermyndax

Because this E mail address is transmission exclusive use, message it 
does not reply, fish prayer it is to call it does.

Re: another DoS on 2.64?

[Daniel Quinlan <qu...@pathname.com>]

Vermyndax <ve...@red-abstract.com> writes:

> Is there perhaps another DoS on SA 2.64?  I just happened to come in and
> write myself and reminder and discovered my mail server acting *very*
> slow.

It looks more like you just ran out of memory.  How many spamd processes
are you running?  15 may be too many for the amount of RAM you have,
especially if you are filtering messages that are larger than 250k (the
default maximum size).

> There were about 15 spamd processes, one of which was taking 22
> minutes of CPU time...

There are a lot of potential reasons this can happen, not just some DoS
issue (just because we issued a security update, it does not now mean
that all problems are a DoS).  However, if you have a message that you
believe causes an DoS issue, please open a bug and put it into the
Security component with the "Security Team" flag and after the bug is
opened, attach (not cut and paste) the full example message.

Daniel

-- 
Daniel Quinlan
http://www.pathname.com/~quinlan/

Re: another DoS on 2.64?

[Vermyndax <ve...@red-abstract.com>]

I did see that happen yesterday as well.  I had one message slip through 
completely unscanned... I didn't think twice and deleted it though.  :(

--JM

Cirelle Enterprises wrote:

> ----- Original Message ----- 
> From: "Vermyndax" <ve...@red-abstract.com>
> 
> 
> | Is there perhaps another DoS on SA 2.64?  I just happened to come in and
> | write myself and reminder and discovered my mail server acting *very*
> | slow.  There were about 15 spamd processes, one of which was taking 22
> | minutes of CPU time...
> 
> We have notices (since the upgrade from 2.63 -> 2.64) that we are now getting
> mail that have been bypassed altogether and not checked.  Something that
> has not happened with 2.63.
> 
> beyond that, we haven't seen your issue.
> 
> Greg
> 

Re: another DoS on 2.64?

[Cirelle Enterprises <gc...@cirelle.com>]

----- Original Message ----- 
From: "Vermyndax" <ve...@red-abstract.com>


| Is there perhaps another DoS on SA 2.64?  I just happened to come in and
| write myself and reminder and discovered my mail server acting *very*
| slow.  There were about 15 spamd processes, one of which was taking 22
| minutes of CPU time...

We have notices (since the upgrade from 2.63 -> 2.64) that we are now getting
mail that have been bypassed altogether and not checked.  Something that
has not happened with 2.63.

beyond that, we haven't seen your issue.

Greg