amavis clamscan using too much cpu

Discussion in 'Installation/Configuration' started by pawan, Jan 24, 2023.

  1. pawan

    pawan Member

    as I observed that the server is not responding swiftly, I run the top command and found that amavis clamscan is using too much cpu.
    what could be the reason and how to get this fixed.
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Did you try Internet Search Engines with
    Code:
    clamscan is using too much cpu
     
  3. pawan

    pawan Member

    yes I did,
    1. at one instance it is mentioned that I had 4gb of ram and it uses 1gb, which can make the server slow. which is not applicable in my case or may be. I used to have 16gb, but present server is having 8GB.
    2. another solution suggest was
    we restricted the maximum resource that the clamscan process could use.
    For this, we installed the cpulimit package. This package allows limiting the CPU usage of any server process.
    We edited the clamscan command in the scan script as:
    cpulimit -e clamscan -l 30
    This limited the clamscan CPU usage to 30%.
    not sure if it is correct to install such package.
    What I think which will be more appropriate solution is like preventing spams, as I mentioned that it is amavis clamscan, so certainly it is related to mail.
    if so many spams coming, clamscan has to do more work.
    this is what is showing when I run top
    15302 amavis 20 0 1193568 0.996g 21516 D 91.8 12.8 0:10.68 clamscan
    15301 amavis 20 0 1193568 0.996g 21252 D 91.2 12.8 0:10.66 clamscan
    so from the above it is using more cpu than memory.
    Hi Talemen I am adding some mail log, please tell me, if it is normal

    Code:
    Jan 25 03:20:17 server2 postfix/lmtp[15388]: D610018E329A: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=44, delays=0.05/0.01/0/44, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 34FBC18E32B2)
    Jan 25 03:20:17 server2 postfix/qmgr[25394]: D610018E329A: removed
    Jan 25 03:20:17 server2 postfix/qmgr[25394]: DD49D18E3299: removed
    Jan 25 03:20:17 server2 postfix/smtp[15461]: 34FBC18E32B2: to=<[email protected]>, relay=none, delay=0.69, delays=0.05/0.33/0.31/0, dsn=5.4.6, status=bounced (mail for mittalgroup.asia loops back to myself)
    Jan 25 03:20:17 server2 postfix/cleanup[15385]: EBC5318E329A: message-id=<[email protected]>
    Jan 25 03:20:17 server2 postfix/bounce[15463]: 34FBC18E32B2: sender non-delivery notification: EBC5318E329A
    Jan 25 03:20:17 server2 postfix/qmgr[25394]: EBC5318E329A: from=<>, size=3934, nrcpt=1 (queue active)
    Jan 25 03:20:17 server2 postfix/qmgr[25394]: 34FBC18E32B2: removed
    Jan 25 03:20:17 server2 postfix/smtp[15461]: EBC5318E329A: to=<[email protected]>, relay=none, delay=0.62, delays=0.61/0/0/0, dsn=5.4.6, status=bounced (mail for mittalgroup.asia loops back to myself)
    Jan 25 03:20:17 server2 postfix/qmgr[25394]: EBC5318E329A: removed
    Jan 25 03:20:21 server2 postfix/smtp[15462]: 2D00B18E32B0: host aspmx.l.google.com[173.194.76.26] said: 421-4.7.0 [62.210.113.49      15] Our system has detected that this message is 421-4.7.0 suspicious due to the nature of the content and/or the links within. 421-4.7.0 To best protect our users from spam, the message has been blocked. 421-4.7.0 Please visit 421 4.7.0  https://support.google.com/mail/answer/188131 for more information. b5-20020a05600c150500b003d8c3d3b94csi16777wmg.120 - gsmtp (in reply to end of DATA command)
    Jan 25 03:20:24 server2 postfix/smtpd[15070]: warning: hostname dtarax-brsi.oinkhow.net does not resolve to address 141.98.10.48
    Jan 25 03:20:24 server2 postfix/smtpd[15070]: connect from unknown[141.98.10.48]
    Jan 25 03:20:28 server2 postfix/smtpd[15070]: warning: unknown[141.98.10.48]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Jan 25 03:20:28 server2 postfix/smtpd[15070]: disconnect from unknown[141.98.10.48] ehlo=1 auth=0/1 quit=1 commands=2/3
    Jan 25 03:20:29 server2 postfix/smtpd[13268]: connect from localhost[::1]
    Jan 25 03:20:29 server2 postfix/smtpd[13268]: lost connection after CONNECT from localhost[::1]
    Jan 25 03:20:29 server2 postfix/smtpd[13268]: disconnect from localhost[::1] commands=0/0
    Jan 25 03:20:30 server2 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<3EEggQnzJs0AAAAAAAAAAAAAAAAAAAAB>
    Jan 25 03:20:30 server2 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<SW4ggQnzwL4AAAAAAAAAAAAAAAAAAAAB>
    Jan 25 03:20:51 server2 postfix/smtp[15462]: connect to aspmx.l.google.com[2a00:1450:400c:c0b::1a]:25: Connection timed out
    Jan 25 03:20:52 server2 postfix/smtp[15462]: 2D00B18E32B0: to=<[email protected]>, relay=alt2.aspmx.l.google.com[142.251.9.27]:25, delay=36, delays=0.29/0.34/35/0.25, dsn=4.7.0, status=deferred (host alt2.aspmx.l.google.com[142.251.9.27] said: 421-4.7.0 [62.210.113.49      15] Our system has detected that this message is 421-4.7.0 suspicious due to the nature of the content and/or the links within. 421-4.7.0 To best protect our users from spam, the message has been blocked. 421-4.7.0 Please visit 421 4.7.0  https://support.google.com/mail/answer/188131 for more information. fq1-20020a1709069d8100b0084d33d87c45si4760637ejc.751 - gsmtp (in reply to end of DATA command))
    Jan 25 03:20:54 server2 postfix/smtpd[15070]: warning: hostname 110.getpocket.com does not resolve to address 91.224.92.110: Name or service not known
    Jan 25 03:20:54 server2 postfix/smtpd[15070]: connect from unknown[91.224.92.110]
    Jan 25 03:20:57 server2 postfix/smtpd[15070]: warning: unknown[91.224.92.110]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Jan 25 03:20:57 server2 postfix/smtpd[15070]: disconnect from unknown[91.224.92.110] ehlo=1 auth=0/1 quit=1 commands=2/3
    Jan 25 03:21:13 server2 postfix/scache[15263]: statistics: start interval Jan 25 03:16:38
    Jan 25 03:21:13 server2 postfix/scache[15263]: statistics: domain lookup hits=0 miss=6 success=0%
    Jan 25 03:21:36 server2 postfix/qmgr[25394]: 7904618E32B3: from=<[email protected]>, size=1882, nrcpt=1 (queue active)
    Jan 25 03:21:36 server2 postfix/qmgr[25394]: 03A4318E3175: from=<[email protected]>, size=1942, nrcpt=1 (queue active)
    Jan 25 03:21:36 server2 postfix/qmgr[25394]: 01D3118E31CE: from=<[email protected]>, size=1908, nrcpt=1 (queue active)
    Jan 25 03:21:36 server2 postfix/qmgr[25394]: A489818E3119: from=<[email protected]>, size=2002, nrcpt=1 (queue active)
    Jan 25 03:21:36 server2 postfix/qmgr[25394]: EDF3D18E3116: from=<[email protected]>, size=1945, nrcpt=1 (queue active)
    Jan 25 03:21:36 server2 postfix/qmgr[25394]: EAA2818E32B1: from=<[email protected]>, size=1923, nrcpt=1 (queue active)
    Jan 25 03:21:36 server2 postfix/qmgr[25394]: 5D3C018E2EA0: from=<[email protected]>, size=1949, nrcpt=1 (queue active)
    Jan 25 03:21:36 server2 postfix/qmgr[25394]: 9F8C918E32AD: from=<[email protected]>, size=1886, nrcpt=1 (queue active)
    Jan 25 03:21:36 server2 postfix/qmgr[25394]: 959B418E2F14: from=<[email protected]>, size=1664, nrcpt=1 (queue active)
    Jan 25 03:21:36 server2 postfix/smtp[15704]: EDF3D18E3116: host mx01.mail.com[74.208.5.22] refused to talk to me: 554-mail.com (mxgmxus009) Nemesis ESMTP Service not available 554-No SMTP service 554-IP address is block listed. 554 For explanation visit https://postmaster.mail.com/en/case?c=bip&i=ip&v=62.210.113.49
    Jan 25 03:21:36 server2 postfix/smtp[15704]: EDF3D18E3116: to=<[email protected]>, relay=mx00.mail.com[74.208.5.20]:25, delay=75849, delays=75848/0.02/0.43/0, dsn=4.0.0, status=deferred (host mx00.mail.com[74.208.5.20] refused to talk to me: 554-mail.com (mxgmxus005) Nemesis ESMTP Service not available 554-No SMTP service 554-IP address is block listed. 554 For explanation visit https://postmaster.mail.com/en/case?c=bip&i=ip&v=62.210.113.49)
    Jan 25 03:21:36 server2 postfix/smtp[15462]: 03A4318E3175: to=<[email protected]>, relay=none, delay=63513, delays=63512/0/0.6/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=skim.com type=MX: Host not found, try again)
    Jan 25 03:21:37 server2 postfix/smtp[15706]: 5D3C018E2EA0: host mx-aol.mail.gm0.yahoodns.net[67.195.204.75] said: 421 4.7.0 [TSS04] Messages from 62.210.113.49 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
    Jan 25 03:21:37 server2 postfix/smtp[15706]: 5D3C018E2EA0: lost connection with mx-aol.mail.gm0.yahoodns.net[67.195.204.75] while sending RCPT TO
    Jan 25 03:21:37 server2 postfix/smtp[15461]: 7904618E32B3: host mta6.am0.yahoodns.net[67.195.204.73] said: 421 4.7.0 [TSS04] Messages from 62.210.113.49 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
    Jan 25 03:21:37 server2 postfix/smtp[15461]: 7904618E32B3: lost connection with mta6.am0.yahoodns.net[67.195.204.73] while sending RCPT TO
    Jan 25 03:21:37 server2 postfix/smtp[15707]: 9F8C918E32AD: host mx-aol.mail.gm0.yahoodns.net[98.136.96.93] said: 421 4.7.0 [TSS04] Messages from 62.210.113.49 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
    Jan 25 03:21:37 server2 postfix/smtp[15707]: 9F8C918E32AD: lost connection with mx-aol.mail.gm0.yahoodns.net[98.136.96.93] while sending RCPT TO
    Jan 25 03:21:37 server2 postfix/smtp[15705]: EAA2818E32B1: host mta7.am0.yahoodns.net[67.195.228.111] said: 421 4.7.0 [TSS04] Messages from 62.210.113.49 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
    Jan 25 03:21:37 server2 postfix/smtp[15705]: EAA2818E32B1: lost connection with mta7.am0.yahoodns.net[67.195.228.111] while sending RCPT TO
    Jan 25 03:21:37 server2 postfix/smtp[15703]: A489818E3119: host mx-aol.mail.gm0.yahoodns.net[67.195.228.84] said: 421 4.7.0 [TSS04] Messages from 62.210.113.49 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
    Jan 25 03:21:37 server2 postfix/smtp[15703]: A489818E3119: lost connection with mx-aol.mail.gm0.yahoodns.net[67.195.228.84] while sending RCPT TO
    Jan 25 03:21:38 server2 postfix/smtp[15707]: 9F8C918E32AD: to=<[email protected]>, relay=mx-aol.mail.gm0.yahoodns.net[98.136.96.92]:25, delay=441, delays=439/0.04/1.8/0.12, dsn=4.7.0, status=deferred (host mx-aol.mail.gm0.yahoodns.net[98.136.96.92] said: 421 4.7.0 [TSS04] Messages from 62.210.113.49 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
    Jan 25 03:21:38 server2 postfix/smtp[15706]: 5D3C018E2EA0: to=<[email protected]>, relay=mx-aol.mail.gm0.yahoodns.net[67.195.228.86]:25, delay=54956, delays=54954/0.03/1.9/0.15, dsn=4.7.0, status=deferred (host mx-aol.mail.gm0.yahoodns.net[67.195.228.86] said: 421 4.7.0 [TSS04] Messages from 62.210.113.49 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
    Jan 25 03:21:38 server2 postfix/smtp[15705]: EAA2818E32B1: to=<[email protected]>, relay=mta5.am0.yahoodns.net[67.195.204.73]:25, delay=8714, delays=8712/0.02/2/0.11, dsn=4.7.0, status=deferred (host mta5.am0.yahoodns.net[67.195.204.73] said: 421 4.7.0 [TSS04] Messages from 62.210.113.49 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
    Jan 25 03:21:38 server2 postfix/smtp[15461]: 7904618E32B3: to=<[email protected]>, relay=mta7.am0.yahoodns.net[67.195.228.111]:25, delay=4537, delays=4535/0.02/2/0.15, dsn=4.7.0, status=deferred (host mta7.am0.yahoodns.net[67.195.228.111] said: 421 4.7.0 [TSS04] Messages from 62.210.113.49 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
    Jan 25 03:21:38 server2 postfix/smtp[15703]: A489818E3119: to=<[email protected]>, relay=mx-aol.mail.gm0.yahoodns.net[98.136.96.92]:25, delay=559, delays=557/0.01/2.1/0.13, dsn=4.7.0, status=deferred (host mx-aol.mail.gm0.yahoodns.net[98.136.96.92] said: 421 4.7.0 [TSS04] Messages from 62.210.113.49 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command))
    Jan 25 03:21:39 server2 postfix/smtp[15708]: 959B418E2F14: host mx-ha02.web.de[212.227.17.8] refused to talk to me: 554-web.de (mxweb110) Nemesis ESMTP Service not available 554-No SMTP service 554-IP address is block listed. 554 For explanation visit https://postmaster.web.de/de/case?c=bip&i=ip&v=62.210.113.49
    Jan 25 03:21:39 server2 postfix/smtp[15708]: 959B418E2F14: to=<[email protected]>, relay=mx-ha03.web.de[212.227.15.17]:25, delay=67570, delays=67567/0.04/3.3/0, dsn=4.0.0, status=deferred (host mx-ha03.web.de[212.227.15.17] refused to talk to me: 554-web.de (mxweb012) Nemesis ESMTP Service not available 554-No SMTP service 554-IP address is block listed. 554 For explanation visit https://postmaster.web.de/de/case?c=bip&i=ip&v=62.210.113.49)
    Jan 25 03:21:41 server2 postfix/smtp[15702]: 01D3118E31CE: host mx-apac.mail.gm0.yahoodns.net[106.10.248.73] said: 421 4.7.0 [TSS04] Messages from 62.210.113.49 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.yahooinc.com/error-codes (in reply to MAIL FROM command)
    Jan 25 03:21:41 server2 postfix/smtp[15702]: 01D3118E31CE: lost connection with mx-apac.mail.gm0.yahoodns.net[106.10.248.73] while sending RCPT TO
    
     
    Last edited: Jan 24, 2023
    ahrasis likes this.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Start clamd and check that it is running. Clamscan is only used as a fallback if clamd has been stopped.
     
    ahrasis likes this.

Share This Page