You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by David Spector <da...@springtimesoftware.com> on 2013/09/18 00:06:01 UTC

Process 'spamd' gets wedged at random times

How I'm invoking Spamassassin: CPanel on my webserver

In Cpanel: no Spamassassin version information, Score (required_score)=5, 
Spam Box=On, no special config specified

My platform: CENTOS 6.4 i686 virtuozzo

My problem:

LFD sends me the following email from root at random times, sometimes twice 
a day, sometimes once every few days, complaining about wedged process 
'spamd':

Subject: lfd: Suspicious process running under user ****
Body:
----
Time:    Tue Sep 17 05:35:15 2013 -0400
PID:     5268 (Parent PID:20849)
Account: ****
Uptime:  250628 seconds

Executable:

/usr/local/cpanel/3rdparty/perl/514/bin/perl

Command Line (often faked in exploits):

spamd child
[additional detailed process info omitted]
...
----

I have searched the Web, and asked my server maintainers, CSF/LFD support, 
and CPanel support. Nobody knows anything about this error message. I have 
also looked at the FAQ at http://wiki.apache.org/spamassassin and did not 
find anything relevant there.

David Spector
Springtime Software

Re: Process 'spamd' gets wedged at random times

Posted by Bernd Petrovitsch <be...@petrovitsch.priv.at>.

Hi!

On Mit, 2013-09-18 at 12:55 +0100, RW wrote:
> On Wed, 18 Sep 2013 13:04:17 +0200
> Bernd Petrovitsch wrote:
[...]
> > On Mit, 2013-09-18 at 06:46 -0400, David Spector wrote:
> > [...]
> > > LFD is a monitor that detects processes that have been running too
> > > long. That's about all it does.
> > 
> > "spamd" is the daemon of SpamAssassin which actually does the job. And
> > it is the purpose of a Unix-daemon to run long - ideally from boot up
> > until machine shutdown (years later ....) without restart.
> 
> It's actually a child process, which isn't supposed to run forever.

First, the is usually (also) the job of the "main process" if the actual
work is done by worker processes (or threads).
Second, and then the OP has to specify that correctly.

spamd-3.3.1 hereover has a "--max-conn-per-child=num" option (default
value can be found in the manual page) but it depends on the number of
workers and the number of mails how long they usually run.

And all that is only known to the OP ...

	Bernd
-- 
Bernd Petrovitsch                  Email : bernd@petrovitsch.priv.at
                     LUGA : http://www.luga.at

Re: Process 'spamd' gets wedged at random times

Posted by David Spector <da...@springtimesoftware.com>.

Dear RW,

Thank you for your clear explanation and for instructions for fixing the 
incorrect notice.

I've followed up by submitting a ticket to get the instructions updated for 
the current WHM.

I will also follow up with the support teams for the other products.

Some of the other responses here seemed a bit nasty, but you haven't 
pretended to knowledge you didn't have. I'm appreciative, satisfied, and 
gone.

David

---- Original Message ----
From: "RW" <rw...@googlemail.com>
To: <us...@spamassassin.apache.org>
Sent: Wednesday, September 18, 2013 7:55 AM
Subject: Re: Process 'spamd' gets wedged at random times

> On Wed, 18 Sep 2013 13:04:17 +0200
> Bernd Petrovitsch wrote:
>
>> Hi!
>>
>> On Mit, 2013-09-18 at 06:46 -0400, David Spector wrote:
>> [...]
>>> LFD is a monitor that detects processes that have been
>>> running too long. That's about all it does.
>>
>> "spamd" is the daemon of SpamAssassin which actually
>> does the job. And it is the purpose of a Unix-daemon to
>> run long - ideally from boot up until machine shutdown
>> (years later ....) without restart.
>
> It's actually a child process, which isn't supposed to
> run forever. However, from Google:
>
> https://billing.handsonwebhosting.com/knowledgebase/250/Suspicious-spamd-child-Process-Emails-From-CSF-Firewall-Software.html

Re: Process 'spamd' gets wedged at random times

Posted by RW <rw...@googlemail.com>.

On Wed, 18 Sep 2013 13:04:17 +0200
Bernd Petrovitsch wrote:

> Hi!
> 
> On Mit, 2013-09-18 at 06:46 -0400, David Spector wrote:
> [...]
> > LFD is a monitor that detects processes that have been running too
> > long. That's about all it does.
> 
> "spamd" is the daemon of SpamAssassin which actually does the job. And
> it is the purpose of a Unix-daemon to run long - ideally from boot up
> until machine shutdown (years later ....) without restart.

It's actually a child process, which isn't supposed to run forever.
However, from Google:

https://billing.handsonwebhosting.com/knowledgebase/250/Suspicious-spamd-child-Process-Emails-From-CSF-Firewall-Software.html

Re: Process 'spamd' gets wedged at random times

Posted by Bernd Petrovitsch <be...@petrovitsch.priv.at>.

Hi!

On Mit, 2013-09-18 at 06:46 -0400, David Spector wrote:
[...]
> LFD is a monitor that detects processes that have been running too long. 
> That's about all it does.

How long is "too long" for "spamd"?

> spamd is apparently part of Spamassassin, at least when it is running on 
> Linux systems. I'm not sure; I'm not an SA expert (obviously).

"spamd" is the daemon of SpamAssassin which actually does the job. And
it is the purpose of a Unix-daemon to run long - ideally from boot up
until machine shutdown (years later ....) without restart.

> The LFD people say this is definitely a problem with SA, since their product 
> is sending correct email. Also, CPanel support says the problem is not with 
> CPanel.
>
> To others: I still need help on this.

You should not check the run-time (or age) of a daemon or be prepared
that the deamon runs "too long".
More probably you should disable these tools for deamons and use e.g.
"monit" to automatically restart it if tit goes down (for what ever
reason).

IMHO it is pure PEBKAC: You are using the wrong tools to look after
"spamd" ....

	Bernd
-- 
Bernd Petrovitsch                  Email : bernd@petrovitsch.priv.at
                     LUGA : http://www.luga.at

Re: Process 'spamd' gets wedged at random times

Posted by Antony Stone <An...@spamassassin.open.source.it>.

On Wednesday 18 September 2013 at 12:46:52, David Spector wrote:

> Dear Matus,
> 
> LFD is a monitor that detects processes that have been running too long.
> That's about all it does.

Who defines what is "too long"?

The commands "ps ax" or "top" will show you (under the "time" column) how long 
a process has been running.

I see no reason to complain about a process simply because it's been running 
for a long time - so long as it is still running and doing its job, then I 
regard that as ver acceptable.

> The LFD people say this is definitely a problem with SA, since their
> product is sending correct email.

What is the "problem" with a long-running process?

Can you configure LFD to know that you don't care if spamd has been running for 
a long time - that's what it's supposed to do?

> ---- Original Message ----
> From: "Matus UHLAR - fantomas"
> To: <us...@spamassassin.apache.org>
> Sent: Wednesday, September 18, 2013 3:50 AM
> Subject: Re: Process 'spamd' gets wedged at random times
> 
> > On 17.09.13 18:06, David Spector wrote:
> >> In Cpanel: no Spamassassin version information, Score
> >> (required_score)=5, Spam Box=On, no special config
> >> specified My platform: CENTOS 6.4 i686 virtuozzo
> >> 
> >> My problem:
> >> 
> >> LFD sends me the following email from root at random
> >> times, sometimes twice a day, sometimes once every few
> >> days, complaining about wedged process 'spamd':
> >> 
> >> Subject: lfd: Suspicious process running under user ****
> > 
> > not a spamassassin issue.
> > 
> >> I have searched the Web, and asked my server
> >> maintainers, CSF/LFD support, and CPanel support. Nobody
> >> knows anything about this error message. I have also
> >> looked at the FAQ at http://wiki.apache.org/spamassassin
> >> and did not find anything relevant there.
> > 
> > there's no reason why SpamAssassin should care about
> > CFS/LFD (whatever that is) or CPanel issues.  Search
> > further in LFD forums, as that is clearly mail from LFD...

Regards,


Antony.

-- 
What do you get when you cross a joke with a rhetorical question?

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Process 'spamd' gets wedged at random times

Posted by David Spector <da...@springtimesoftware.com>.

Dear Matus,

LFD is a monitor that detects processes that have been running too long. 
That's about all it does.

spamd is apparently part of Spamassassin, at least when it is running on 
Linux systems. I'm not sure; I'm not an SA expert (obviously).

The LFD people say this is definitely a problem with SA, since their product 
is sending correct email. Also, CPanel support says the problem is not with 
CPanel.

To others: I still need help on this.

David

---- Original Message ----
From: "Matus UHLAR - fantomas"
To: <us...@spamassassin.apache.org>
Sent: Wednesday, September 18, 2013 3:50 AM
Subject: Re: Process 'spamd' gets wedged at random times

> On 17.09.13 18:06, David Spector wrote:
>> In Cpanel: no Spamassassin version information, Score
>> (required_score)=5, Spam Box=On, no special config
>> specified My platform: CENTOS 6.4 i686 virtuozzo
>>
>> My problem:
>>
>> LFD sends me the following email from root at random
>> times, sometimes twice a day, sometimes once every few
>> days, complaining about wedged process 'spamd':
>>
>> Subject: lfd: Suspicious process running under user ****
>
> not a spamassassin issue.
>
>> I have searched the Web, and asked my server
>> maintainers, CSF/LFD support, and CPanel support. Nobody
>> knows anything about this error message. I have also
>> looked at the FAQ at http://wiki.apache.org/spamassassin
>> and did not find anything relevant there.
>
> there's no reason why SpamAssassin should care about
> CFS/LFD (whatever that is) or CPanel issues.  Search
> further in LFD forums, as that is clearly mail from LFD...
>
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ;
> http://www.fantomas.sk/ Warning: I wish NOT to receive
> e-mail advertising to this address. Varovanie: na tuto
> adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace 
> and quiet.

Re: Process 'spamd' gets wedged at random times

Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.

On 17.09.13 18:06, David Spector wrote:
>In Cpanel: no Spamassassin version information, Score 
>(required_score)=5, Spam Box=On, no special config specified
>
>My platform: CENTOS 6.4 i686 virtuozzo
>
>My problem:
>
>LFD sends me the following email from root at random times, sometimes 
>twice a day, sometimes once every few days, complaining about wedged 
>process 'spamd':
>
>Subject: lfd: Suspicious process running under user ****

not a spamassassin issue.

>I have searched the Web, and asked my server maintainers, CSF/LFD 
>support, and CPanel support. Nobody knows anything about this error 
>message. I have also looked at the FAQ at 
>http://wiki.apache.org/spamassassin and did not find anything 
>relevant there.

there's no reason why SpamAssassin should care about CFS/LFD (whatever that
is) or CPanel issues.  Search further in LFD forums, as that is clearly mail
from LFD...

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.