Re: Handling Spam Surges

On Mon, 10 Sep 2007, Paul Griffith wrote:

> Greetings,
>
> How do you handle Spam surges/DoS attacks? We just had a Spam surge/DoS
> and are looking at ways to better withstand (as best as we can) another
> surge
>
>
> Here is how we start SA:
>
> -c -d -r $PIDFILE -s /var/log/spamd --socketpath=$SOCKET
> --max-children=150 --min-children=10
>
> Our (1) mail server is configured like this:
>
> CentOS 4.5
> Exim 4.67
> SpamAssassin version 3.2.3 running on Perl version 5.8.8
> ClamAV 0.91.2 (saneSecurity updates)
> - handles incoming/outgoing mail
> - handles imap/pop/webmail request
>
> Intel D Cpu 3.00Ghz with 2GB of Mem
> 80GB SATA root disk
> 200GB SATA mail disk (softraid mirror)
> 2xIntel e1000

With only 2GB of memory you could die in swapping hell with max-children=150. Each SA process will take 30~60Mbyes of RSS (depending upon addition of optional rules & plugins). This means that 150 children could take 5GB of ram, thus hitting your swap hard. Either add more RAM or reduce that max-children.

To prevent melt-down from surges/DoS attacks some kind of incoming SMTP rate limiting is the way to go (with that small a setup). This would be done by your Exim config, ask the Exim list for suggestions on this.

-- 
Dave Funk                                  University of Iowa
        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{