Spamassassin runs for a long time (10 minutes or so) and takes all CPU time until server hangs. I use Debian Sarge and Postfix for MTA. Could this mean that my server is used as I spam relay, how can I be sure? I would rather disable Spamassassin then have server crash every day. Please, please give me some tips on where to look for problem. Thanks
Here's how it looks like from top: top - 00:10:19 up 9:06, 2 users, load average: 2.22, 1.42, 0.69 Tasks: 106 total, 4 running, 100 sleeping, 0 stopped, 2 zombie Cpu(s): 26.8% user, 73.2% system, 0.0% nice, 0.0% idle Mem: 905400k total, 848220k used, 57180k free, 57260k buffers Swap: 5863640k total, 128k used, 5863512k free, 471808k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 32563 anda 20 0 25240 24m 2544 R 49.7 2.8 2:02.88 spamassassin 32574 liga 14 0 25240 24m 2544 R 49.7 2.8 2:02.52 spamassassin 25629 root 11 0 1092 1092 848 R 0.7 0.1 0:17.42 top 1 root 8 0 500 500 448 S 0.0 0.1 0:02.09 init 2 root 8 0 0 0 0 S 0.0 0.0 0:00.00 keventd 3 root 19 19 0 0 0 S 0.0 0.0 0:00.00 ksoftirqd_CPU0 4 root 9 0 0 0 0 S 0.0 0.0 0:00.01 kswapd 5 root 9 0 0 0 0 S 0.0 0.0 0:00.00 bdflush 6 root 9 0 0 0 0 S 0.0 0.0 0:00.00 kupdated 18 root -1 -20 0 0 0 S 0.0 0.0 0:00.00 mdrecoveryd 75 root -1 -20 0 0 0 S 0.0 0.0 0:00.00 raid1d 103 root 9 0 0 0 0 S 0.0 0.0 0:03.37 kjournald 235 root 9 0 0 0 0 S 0.0 0.0 0:00.00 kcopyd 564 root 9 0 0 0 0 S 0.0 0.0 0:00.00 khubd 1347 daemon 9 0 452 452 384 S 0.0 0.0 0:00.12 portmap
Do you see lots of action in your mail log? Are there lots of mails in the mail queue (run Code: postqueue -p )?
Not that much. Right now it's: -- 155 Kbytes in 12 Requests. Some of my users use Squirrelmail, so they keep alot of mails in their Maildirs. Can it be, that spamassassin rescans all of Maildir regularely? Thanks for your responce, Mikelis
It happened again this evening. Server responds to pings, but nothing else. It even displays SSH login and takes username and password. Have I've been hacked? Mik
You should check your system with chkrootkit and rkhunter: http://www.howtoforge.com/faq/1_38_en.html
The server probably was hacked, although I didn't find any clear evidence. But the whole situation was strange. So I reinstalled it and it seems fine now. I still have the old HDD, I would really like to find out which part of the system was compromised. Thanks for your help though.
