Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - High Utilization due to unusual Quanity o
  FAQ FAQ  Forum Search   Register Register  Login Login

High Utilization due to unusual Quanity o

 Post Reply Post Reply
Author
rmerry View Drop Down
Newbie
Newbie


Joined: 09 January 2006
Location: Canada
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote rmerry Quote  Post ReplyReply Direct Link To This Post Topic: High Utilization due to unusual Quanity o
    Posted: 09 January 2006 at 9:51am

I have had an issue appear over the last week or so with High utilization.  In particular one email was coming from a large organization to 3 users within our system.   The message kept resending every few hours, and constantly brought the box to its knees.  I tried black listing and white listing the user to kill the message, to no avail.  Finally, with some help from another co-worker, we added the users email address to the Blacklist FROM list, and added the ::null command to keep the system from processing the message.

 

After coming in this morning, another user from the same company was bulk mailing the same 3 users in our company, and it was locking up the Spamfilter.  For some reason the message had made it through the system a couple of times, and since one of the users on the "to" field didn't exist, the message went to the administrator.  What we finally realized was that the size of the message (1 meg), was not due to an attachment, it was due to an unusual large quantity of email addresses in the "TO" field. The actual message was a very small.

 

Besides the fact the user sending a message to 1 meg of users in the "TO" field is due to the sender being an IDIOT.  This is a bit of a bug with spamfilter, and I suspect this has been a source of issues I have had with messages that seemed to constantly resending into the system (I had one message from a supplier come to me 24+ times, it just seemed to get stuck and resend  constantly. It finally failed and gave up delivering the message from the source system).  

 

Has anybody else run into this?

 

Is there anyway to turf a message that has an unusual quantity of emails in the "TO" field. I realize I can limit the number messages coming into internal users,  however it might be good to block messages that contain an unusual number of non-company addresses.  Most professional mailing lists do NOT put all of their customers addresses in the "TO" field, they use a list server or blind copy the message.

 

Is there a work around to keep it from killing my Mail gateway?

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4074
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 09 January 2006 at 10:33am
SpamFilter already has a "MAX RCPTTO" setting where you can limit the maximum number of RCPT TO recipients an email can have. Please note that this is different from the number of "To:" *headers* inside an email. That header is simply just that, a header, and does not necessarily indicate at all for real who the recipients are. SpamFilter will ignore all headers.

Also please note that if a sender attempts to send an email that has an email address in the RCPT TO that does not belong to your local domains, the sender is *immediately* disconnected. Again please note that this is only for RCPT TO commands, which indicate the *real* recipients of the email. The "To:" headers can be completely different and contain non-internal addresses - they are irrelevant as emails to them is *not* being delivered.

Having said all this, such a message should not cause problems, as long as dozens of them are sent concurrently. Can you please let us know what version of SpamFilter you are using, and if possible, forward us a copy of the original email so we can take a look?
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
rmerry View Drop Down
Newbie
Newbie


Joined: 09 January 2006
Location: Canada
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote rmerry Quote  Post ReplyReply Direct Link To This Post Posted: 09 January 2006 at 12:59pm

We are running the latest version   2.7.1.515   I upgraded last week when this particular problem seemed to appeared.

Unfortunately, The sample message got deleted.   Thanks to a helpful assistant.

As I mentioned, the problem seems to be related to the fact the customer had about 1 meg worth of addresses in the TO field.  Only 3 addresses were ours.  Last week, the message that was freezing up the system was from a different user at the same site.  I never got a sample of the message; however the total message size was about 500k.  I had assumed the message had a large attachment, however from what I have seen this morning, it likely had a huge quantity of Email addresses in the TO field, which caused the same Issue as I had this morning.

As I was replying to this, the same email was hitting the gateway.  It drove the utilization to the max showing the message in the PROCESSING state, and brought the box to a grind again.  I had to restart the spamfilter service to get things going.  When I check the log after restarting, the messages were REJECTED.  I can only hope that like last week, once the message was REJECTED, the sending system stopped trying to deliver it.

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4074
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 09 January 2006 at 4:07pm
Should it happen again, and you are unable to retrieve the message and are forced to stop SpamFilter, before restarting SpamFilter, could you please zip the contents of the SpamFilter\temp and SpamFilter\queue directory? They may contain spool files with the message as it's being processed, and thus may provide email content that can be used to replicate this.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
rmerry View Drop Down
Newbie
Newbie


Joined: 09 January 2006
Location: Canada
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote rmerry Quote  Post ReplyReply Direct Link To This Post Posted: 10 January 2006 at 9:59am

Ahh, I went into the temp directory and found the message, along with the one from last week.  Due to security concerns, can you contact me directly at my email address.   I will then forward the samples to you.  (The user has emailed their Company Directory in the "TO" field, our 3 users appear about halfway down the list).

 

 

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4074
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 10 January 2006 at 10:03am
Great. Please zip the file and email to us at support@logsat.com, along with SpamFilter's activity logfile for the say the message was received.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4074
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 11 January 2006 at 12:09am
rmerry was absolutely correct, SpamFilter had high CPU usage when receiving emails with huge number of recipients. We'd rather not give too many details publicly to avoid helping potential evil hackers, but a pre-release build with the fix is now available in the registered user area (build 517). 
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.289 seconds.