Daily cron not performing sa-learn any longer


Recently I have noticed that the spamlearn capabilities within the server are no longer functioning as expected. They seem to have stopped within the past week or so and it is about the time I put a new site on the server (which has now been removed)

I personally have a couple of accounts on this particular server and the Learn Ham/Spam directories still have all the mail left in them that has been dropped in there since 9/2/2012

I ran as root …

cd /home/interworx/
./iworx.pex --daily

and it only seemed to run the awstats.pl

In retrospect that might have been a bad idea to run as root due to possible permission changes and it seems that iworx doesn’t have permissions to view it’s own home but perhaps that is by design.

Any assistance would be greatly appreciated.

Very odd. I had a domain that had expired many years ago that needed to be re-enabled for a short time to regain control of a non-expired domain. That domain was put into the system on 9/2/12. Skimming through everything that’s when the sa-update process ceased to function.

Further investigation reveals a VERY large amount of

kernel: possible SYN flooding on port 25. Sending cookies.

About 1 every 1.5-5 minutes. I hadn’t noticed anything going on with mail flow no alarms or anything out of the ordinary, however I have had a couple of customers say their emails were coming slower than usual.

I regained control of the domain in question and shut down the DNS and removed the hosting from the server. And now everything on this server is running as expected. The SYN flooding is no longer visible in the messages log and sa-learn is functioning.

If anyone from interworx is interested in digging a bit further into this, I would be happy to work with you on why things fell over the way they did and see what can be done to prevent or at least advise of this through build-in alarms in the future. I just couldn’t do it on a production system, of course but I have access to a domain that will be able to reproduce it without a problem… seems to be from a botnet.