v brought us back to too many connections
Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6435
Printed Date: 13 March 2025 at 5:24pm
Topic: v brought us back to too many connections
Posted By: marcel_debowy
Subject: v brought us back to too many connections
Date Posted: 12 March 2008 at 8:53am
We upgraded to several days ago.
Since then we have had repeated instances of sudden growth of connections stuck open in the "rcpt to" stage.
I remember this as an old problem that had been fixed.
Today we had three, then we reinstalled and the problem has not reoccurred.
Is this only a coincidence?
Marcel Debowy
Posted By: LogSat
Date Posted: 12 March 2008 at 4:10pm
That is the first report of a similar problems in several months, and definetly a first for v4.0. If you can please zip and email us your SpamFilter's activity logfile for the day this happened, we'll take a look. If the zip is over 5MB in size, please let us know so we can provide you with the FTP information to upload the file to us.
------------- Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
Posted By: marcel_debowy
Date Posted: 13 March 2008 at 12:33am
Yes, I need FTP, the log is 65MB
Posted By: marcel_debowy
Date Posted: 13 March 2008 at 10:10am
Having experience a re-occurance of the same problem, it would seem that upgrading to has nothing to do with the problem.
I uploaded a zip with yesterday's and today's log files.
Posted By: marcel_debowy
Date Posted: 13 March 2008 at 11:57am
I decided to watch it happen, and succeeded.
I uploaded a short zip here-it-is.zip of the event itself.
The log suggests that incoming messages have no data and the connection is being dropped. The connections window does not agree, and the connections continue to be posted, rapidly rising to the maximum connections limit.
The suggests many repeated attempt to connect from 2 IPs ( and which are "legitimate" mail servers from one of upstream ISPs, a large and very inapt organization well know for grey spammers
Posted By: LogSat
Date Posted: 13 March 2008 at 10:20pm
We can't be 100% sure, as the logs for the 13th you sent stop at around 4pm, while the "here it is" section is for a problem that occurred later that day (5:42PM) and ths wasn't logged.
However, from the data that we can see, the problem does not seem at first related to the large number of connection attempts from the IPs you mentioned (and a few others). The issue seems instead related to the filter that scans within PDF files for images. Unfortunately we are aware of a bug in the PDF library we use to scan PDF files for spam. We have been in contact with the vendor that provides the PDF library to work on a solution, but we are currently still waiting for the fix. Due to this problem, we have been actually shipping SpamFilter with the PDF-scanning filter in the disabled state by default, as we are aware of it. PDF scanning is disabled by setting the following option in the SpamFilter.ini file to 0: SpamPDFMaxPagesToScan=0
Can you please try disabling this filter by using the above setting? You can edit the SpamFilter.ini file while SpamFilter is running, and there is no need to restart SpamFilter after the change.
------------- Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
Posted By: marcel_debowy
Date Posted: 14 March 2008 at 12:44am
OK, I reinstalled and set SpamPDFMaxPagesToScan=0.
Posted By: halowasher
Date Posted: 01 April 2008 at 7:02pm
I'm having this exact same issue but the setting you mention for the SpamPDFMaxPagesToScan is already set to =0.
I had been running for some time without issue but recently upgraded the database to SQL Server 2005 Express from our Access database that we had been using and immediately started having this problem when we brought it back online.
Do you know of a problem running this way? Everytime we increase the Maximum incoming connections value it will slowly climb up to that max and start rejecting emails and is causing massive delays in email traffic.
Thank you.
Posted By: LogSat
Date Posted: 01 April 2008 at 10:32pm
Can you please zip and email us your SpamFilter's activity logfile for a day this happened? If the file is over 5MB we'll provide you via PM the login info for our ftp site.
------------- Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
Posted By: LogSat
Date Posted: 02 April 2008 at 4:25pm
We received the file and are examining it. The database processing time should not be an issue with SpamFilter v4.0. In the previous versions, the archival of the email to the quarantine database was performed while the email was being received. This could indeed cause delays and connection buildups in case of delays with the database (SpamFilter performed some checks to ensure the timeouts would not have too much impact, but this was not foolproof). In SpamFilter v4, the archival process has been completely separated from the email processing, so they do not affect each other at all. This has never been an issue (so far), so while I do not think that the quarantining process is directly responsible for the connection build-up, we're looking at all aspects in the log.
------------- Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
Posted By: halowasher
Date Posted: 02 April 2008 at 6:44pm
Thank you for taking a look at this for us Roberto, we appreciate it.
Just so you know what we did to get the issue to resolve at least for now was to check the "Do Not Quarantine" on two items. Those items were the Reject if no Reverse DNS filter and the Reject if Empty Mail From filter. The incoming connections started to slowly get back down to normal levels upon making those two changes. If I'm not mistaken there were a lot of empty MailFrom items in the log so that's why we chose it.
Is it possible that the spammers, once their emails were being rejected, stopped pounding the server so hard and while these emails were going to quarantine they knew they were hitting a valid email server or gateway?
Posted By: LogSat
Date Posted: 02 April 2008 at 11:26pm
Could you please check in the \SpamFilter\quarantine or \SpamFilter\temp or SpamFilter\queue (the quarantine is more likely the culprit) directories to see if any of them have large (10,000+) number of temp files in them? From your logs, we see that SpamFilter is not able to create temp files in the quarantine directory.The log reports entries like:
03/31/08 00:00:00:326 -- (5268) Exception occurred during RECEIVEMESSAGE: ( 1 2 2b 3 3a 4 5 6 7 8 9 11 12 13 15 16 17 18 18b 19 20b 20c 29 30 31 32 33 53 55 56 77 78 111) Error creating tmp file name - The file exists. -- --
It's possible that there was a huge buildup of files in the quarantine directories, so large that SpamFlter was not able to allocate a unique file name in there. SpamFilter will queue files in the quarantine directory if there are problems with the database server, so it's possible that there were way too may. If the DB isues are resolved, SpamFilter automatically uploades the contents of the spam emails being queued in the quarantine directory back to the database, so the directory may have emptied itself by now.
We'll be looking over the way these temp files are created (we use Windows API functions, so we did not believe we'd ever run into this theoretical problem...)
------------- Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
Posted By: halowasher
Date Posted: 03 April 2008 at 3:38pm
Yes both of these directories were quite full. 20,000-30,000 files in each. I've cleaned them out and things appear to be running fine with the "Do not Quarantine" items checked once again.
I do appreciate the help guys!
Thanks a bunch.