I have been successfully running Spamfilter for more than a year.  I found the latest product working great till this week.

I am running the two installations of beta spamfilter "397".  Just two days ago I became aware that my server was max’d out 100% CPU and not responding.  Alarms started sounding from my IPsentry monitor program. The task manager said it was the spamfilter service.  I checked the tcp and udp connections and confirmed that most connections were from this service.  The incoming connections were about 120 and I had to reboot the server to regain control.  This is a dual Pentium 500 IBM, whose only task in life is to filter mail. More points to ponder:

1.      I reverted back to the “395” release with the same results.

2.      Did a full virus scan.  Checked for adware and rogue programs.  None were found.

3.      I did a fresh install of  Windows 2000 server and reinstalled Spamfilter “397” – still having the problem.

4.      While reinstalling the machine from scratch.  The secondary installation of spamfilter exhibited the same symptoms. So I thought it was an attack.

5.      If it is an attack it is distributed. I do not see a pattern to the IP address connections or hostnames.

6.      I tried to look for a pattern for the connections and problem with Sawmill sourcing the Spamfilter logs – I did not see one.

7.      Here is how it plays out --- The system exhibits a growing number of connections and then the machine becomes increasingly non-responsive.  If I try to stop the service, I get the message that spamfilter is closing the threads (can take up to 20 minutes to stop).

8.      I tried lowering the number of concurrent incoming smtp connections from 200 to 35.  Same results, when the connections hit near 35 the server cpu maxes out and the windows desktop becomes nonresponsive.

9.      The spamfilter GUI shows many times the blocked emails than connections.

I have had to use the Microsoft “kill” utility to stop the spamfilter service if it stops responding and locks up the server desktop, otherwise reboot, or wait up to 20 minutes for the service to stop from a remotely issued command. Currently the problem has reoccurred about seven times since last night. The rate of repetition seems to be random. 

I am trying to get to the bottom of the problem.  I would appreciate any ideas on what to look for and diagnose this issue.  I need to solve it today before the weekend.  

Thank you,

Dwight

Sounds like too many connections for your processor to handle processing your filtering scheme.  Check the Activity screen and see how many concurrent connections are active. 

You'll have to see what is normal for your system in terms of connections, but it's likely you're getting pounded with connections.  This shows in the logs because you have lots of Connection from lines in a row.

The new Max Conncurrent Connections from Single IP can help. Make sure it's set between 5-10.

Then check your logs for connections coming from the same subnet.  SpamFilter currently can't stop excessive connections from a subnect, but you could block at your firewall by dropping packets from the entire class c that killing your system.  Obviously make a record of what you are blocking and research to see whois so you don't block someone legit.

Hope this is helpful.

-Matt

Things have improved. I may have well been a victim of a distributed email attack.  We made modifications to our installation which helped quite a bit too.

1. We installed our primary spamfilter on a much faster machine.
2. I was also able to significantly speed up MySql by converting the “tblmsgs” and the “tblquarantine” tables to table type Innodb with transactional tables.  This gave me at least a 60% improvement in CPU overhead, MySql is actually running faster than before and it was moved to a slower server.
3. If your server is hit with huge spikes of incomming email -- turn off all nondelivery reports!