Spamassassin stopped working - I am drowning in SPAM!

For unknown reasons Spamassassin stopped scanning incoming emails and one of my old POP boxes getting flooded with SPAM.

I am on a VPS
CentOS 5.2
Webmin version 1.660
Virtualmin version 4.08.gpl GPL
SpamAssassin version 3.3.1

When I do ‘top’ in putty I see spamd running.

Some outputs:

rpm -qa | grep spamassassin

spamassassin-3.3.1-4.el5

ps aux | grep spamd
root 24171 0.0 0.1 1832 496 pts/0 S+ 19:56 0:00 grep spamd
root 29953 0.0 13.6 45040 39888 ? Ss 08:43 0:02 /usr/bin/spamd -d -c -m5 -H -r /var/run/spamd.pid
root 29999 0.0 12.8 45040 37752 ? S 08:43 0:00 spamd child
root 30001 0.0 12.8 45040 37672 ? S 08:43 0:00 spamd child

spamd

Jul 1 19:52:20.222 [12277] warn: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.¹:783: Address already in use
[some line deleted]
Jul 1 19:52:29.242 [12277] error: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
spamd: could not create INET socket on 127.0.0.1:783: Address already in use

Update:
This problem effects one pop mailbox only, others work fine and do get scanned. Spam handling is/was enabled in Virtualmin

What can I try next?

Howdy,

You may want to review the email logs in /var/log/maillog to see what’s going on when email from this particular user comes into the system.

It’s also possible that the procmail logs in /var/log/procmail.log will have some useful information.

When looking at the headers of email coming into this account, do you see any with the name X-Spam-Status?

Lastly, just to verify – if you go into Edit Virtual Server for this particular domain, is the “Spam Filtering” feature enabled?

-Eric

Hi, the “Spam Filtering” feature is enabled for that domain. Other mailboxes in the same domain get checked and have the “X-Spam” line. The non working box gets only a “X-Original-To:” and no other X headers.

maillog from just now: (troubled box is ‘CCL’)

Jul 1 23:25:39 vps-323 dovecot: POP3(peggy.domain_01): Disconnected: Logged out top=0/0, retr=0/0, del=0/41, size=5884632 Jul 1 23:25:39 vps-323 dovecot: POP3(contact.minidisc): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0 Jul 1 23:25:39 vps-323 dovecot: POP3(jbeh.domain_03): Disconnected: Logged out top=0/0, retr=0/0, del=0/30, size=13235016 Jul 1 23:25:39 vps-323 dovecot: POP3(project.domain_03): Disconnected: Logged out top=0/0, retr=0/0, del=0/3, size=46638 Jul 1 23:25:39 vps-323 dovecot: POP3(peggy2.domain_03): Disconnected: Logged out top=0/0, retr=0/0, del=0/1, size=18511 Jul 1 23:25:39 vps-323 dovecot: POP3(jbeh.domain_01): Disconnected: Logged out top=0/0, retr=0/0, del=0/137, size=20637148 Jul 1 23:25:40 vps-323 dovecot: POP3(contact.domain_02): Disconnected: Logged out top=1/1637, retr=0/0, del=0/111, size=1630446 Jul 1 23:25:40 vps-323 dovecot: POP3(adwords.domain_03): Disconnected: Logged out top=0/0, retr=0/0, del=0/12, size=169259 Jul 1 23:25:40 vps-323 dovecot: pop3-login: Login: user=, method=PLAIN, rip=::ffff:61.93.242.147, lip=::ffff:216.201.166.188 Jul 1 23:25:40 vps-323 dovecot: pop3-login: Login: user=, method=PLAIN, rip=::ffff:61.93.242.147, lip=::ffff:216.201.166.188 Jul 1 23:25:40 vps-323 dovecot: POP3(admin.domain_03): Disconnected: Logged out top=0/0, retr=0/0, del=0/68, size=197542 Jul 1 23:25:40 vps-323 dovecot: POP3(ccl.domain_01): Disconnected: Logged out top=0/0, retr=0/0, del=0/64, size=11353218 Jul 1 23:25:42 vps-323 dovecot: pop3-login: Login: user=, method=PLAIN, rip=::ffff:61.93.242.147, lip=::ffff:216.201.166.188 Jul 1 23:25:42 vps-323 dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:61.93.242.147, lip=::ffff:216.201.166.188 Jul 1 23:25:42 vps-323 dovecot: POP3(admin.domain_01): Disconnected: Logged out top=0/0, retr=0/0, del=0/73, size=10459252 Jul 1 23:25:51 vps-323 postfix/anvil[12035]: statistics: max connection rate 1/60s for (smtp:125.89.208.115) at Jul 1 23:23:49 Jul 1 23:25:51 vps-323 postfix/anvil[12035]: statistics: max connection count 1 for (smtp:125.89.208.115) at Jul 1 23:23:49 Jul 1 23:25:51 vps-323 postfix/anvil[12035]: statistics: max cache size 1 at Jul 1 23:23:49 Jul 1 23:25:52 vps-323 postfix/smtpd[18347]: connect from localhost.localdomain[127.0.0.1] Jul 1 23:25:52 vps-323 postfix/smtpd[18347]: disconnect from localhost.localdomain[127.0.0.1]

// progmail
From DealershipLotClearance@newjulyautospecials.us Tue Jul 1 22:49:12 2014
Subject: AUTO DEALS: Cars Priced-Below Kelly-Blue Book-Value
Folder: /home/domain/homes/ccl/Maildir/new/1404272953.18136_1.vps-1 1527
Time:1404272960 From:DealershipLotClearance@newjulyautospecials.us To:ccl@domain.com User:ccl.domain Size:1605 Dest:/home/domain/homes/ccl/Maildir/new/1404272953.18136_1.vps-323.cp.com Mode:None
procmail: Program failure (-25) of “/usr/bin/spamassassin”
procmail: Rescue of unfiltered data succeeded

// progmail, same domain, but scan works:

From peggy@xxxc.com Tue Jul 1 23:01:36 2014
Subject: Re: Reply: Re: Reply: Re: about the PE coated material
Folder: /home/domain/homes/cindy/Maildir/new/1404273701.12235_1.v 18826
Time:1404273712 From:peggy@yyy.com To:sales1@joyfulfff.net User:cindy.domain Size:18887 Dest:/home/domain/homes/cindy/Maildir/new/1404273701.12235_1.vps-323.cp.com Mode:None
procmail: Program failure (-25) of “/usr/bin/spamassassin”
procmail: Rescue of unfiltered data succeeded

Howdy,

I think this error is the key:

procmail: Program failure (-25) of "/usr/bin/spamassassin"

Though I’m not entirely certain what that is, it may be resource related.

Does this user have any sort of restriction on their resources, or number of processes they can run?

Also, does their account have disk quota space still available?

-Eric

The quota in Virtualmin>Users is set to Automatic.

In Webmin > Disk Quotas it is set to unlimited.

I noticed large files in:

/home/domain/homes/ccl/.spamassassin

bayes_seen - 41.7Mb

/home/domain/homes/ccl/.razor

razor-agent.log - 51.2Mb

I am not sure about restriction on their resources. Need to add that my VPS has only 286Mb RAM and I sometimes run into problems i.e. updating Webmin.

Update: I deleted the razor-agent.log (after a backup) and spamassasin works again.

Do I need the “bayes_seen” ?

Update:
Well, I deleted “bayes_seen” and it gets recreated starting from zero. So I guess I don’t need it.