Bug 126792 - Excessive resource consumption is potential denial of service
Excessive resource consumption is potential denial of service
Product: Fedora
Classification: Fedora
Component: spamassassin (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Chip Turner
: Security
Depends On:
  Show dependency treegraph
Reported: 2004-06-26 17:42 EDT by Ralph Loader
Modified: 2007-11-30 17:10 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-06-28 02:37:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Email message that caused the problem (6.00 KB, text/plain)
2004-06-26 19:59 EDT, Ralph Loader
no flags Details

  None (edit)
Description Ralph Loader 2004-06-26 17:42:24 EDT
spamassassin occassionally takes several minutes of CPU time to
process a message:

Jun 27 09:06:40 localhost spamd[29375]: checking message
<2D11BC10-C74A-11D8-BE07-000A95C4B3A0@inf.ed.ac.uk> for ralph:500.
Jun 27 09:09:23 localhost spamd[29375]: clean message (-4.9/5.0) for
ralph:500 in 163.4 seconds, 6070 bytes.
Jun 27 09:09:23 localhost spamd[29375]: result: . -4 -

I verified using top etc that spamassassin was taking 100% CPU.  The
message is a perfectly innocuous plain text conference announcement
from a mailing list.

I have seen this on a number of occassions.

933 MHz P3 - not the latest and greatest, but not entirely obsolete. 
Downloading email via pop3 and evolution.

As far as I can see, this is potentially exploitable by an attacker
who wishes to make spamassassin useless.  10 messages a day at a few
minutes each would be a major pain in the butt.  A few hundred
messages a day  at a few minutes CPU each would make it physically
impossible to use spamassassin.

I have the message and a copy of my .spamassassin directory if required.

PS.  Even "normal" spamassassin performance - a few seconds per
message - and a shitload of memory - is worth a grumble.
Comment 1 Warren Togami 2004-06-26 19:43:47 EDT
Please attach the message to this report.
Comment 2 Ralph Loader 2004-06-26 19:59:32 EDT
Created attachment 101448 [details]
Email message that caused the problem
Comment 3 Justin Mason 2004-06-27 05:45:09 EDT
I'd like to see the output from "spamassassin -D -t < temp.txt"; it
completes in 5 seconds (with network tests from a "cold" dns cache)
for me....
Comment 4 Ralph Loader 2004-06-28 00:46:25 EDT
Just tried "time spamassassin -t < temp.txt":

real    0m19.323s
user    0m3.347s
sys     0m0.255s

DNS look-ups took a while but CPU consumption is OK.

So it looks like something other than the message contents triggered
the CPU usage.

Is there any spamassassin logging I can turn on permanently to try and
track this down?
Comment 5 Justin Mason 2004-06-28 02:13:15 EDT
yes, the "-D" switch turns on debugs.  they're voluminous but will
track down the problem, most likely.  that would definitely be worthwhile.

BTW, I think it may have been a Bayes expiration run; periodically,
it'll expire unused tokens from the Bayes dbs to keep down db size. 
this should happen pretty infrequently, but somewhere between once a
day and once a week I'd guess.  that can take a minute or two to complete.
Comment 6 Ralph Loader 2004-06-28 02:37:01 EDT
Ok, the expiration run explains the behaviour I'm seeing.

Note You need to log in before you can comment on or make changes to this bug.