Re: [Exim] High Load

Top Page
Delete this message
Reply to this message
Author: Christopher Curtis
Date:  
To: Philip Hazel
CC: Exim Users Mailing List
Subject: Re: [Exim] High Load
Sorry for the late reply ...

On Fri, 7 Dec 2001, Philip Hazel wrote:

> On Thu, 6 Dec 2001, Christopher Curtis wrote:
>
> > The message isn't that large. I have both sender and recipient verify, as
> > well as some system filters installed. Immediately after the process gets
> > unstuck, ltrace continues with:
> >
> > mail:~# ltrace -p 7733

[...]
> > strcmp("message_body", "message_body")            = 0

>
> This shows that it is expanding the variable $message_body. That loop is
> searching the list of variable names (by binary chop). So, this means
> that the tight loop is happening when processing some expansion string
> containing $message_body.
>
> Do you have any such strings in your Exim configuration? Or in your Exim
> filter? If so, what are they? What comes immediately before
> $message_body?
>
> Just a thought: are you using any regular expressions?


Expansion string containing $message_body: Little confused at this point,
but guessing that I don't. I do, however, filter, and I do use regular
expressions. message_body_visible = 5000; I have an ~6k filter script.
It's based on the generic system-filter I downloaded, but highly modified.

A summary of the script is:

If message_body contains and message_body contains (Sircam)
If message_body contains and message_body contains (Badtrans.B)
If message_body contains and h_subject contains (Pentagone)
If message_body contains (Snowhite)

If message_body matches ... regex is:
"name=\".*\\..*\\.(ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\""
... idea is to pick up *.*.foo (double extension executables)

If message_body matches "a\\\\shref=(['\"])mailto:([^@]@[^@])\$1"
If message_body contains (html messages)
If message_body contains (javascript in mail)
If message_body contains (Dear Friend,)
If h_to contains or h_from contains "friend@"
If h_to contains or h_from contains "@public.com"
If message_body contains or message_body contains (not spam/junk mail)
If sender_address matches ...
"([a-z\\\\d]+)@(lycos|hotmail|aol|yahoo|msn)\\\\.co(\\\\..*|m)" and
$1 matches "\\d{3,}"
If h_subject contains \\\$\\\$

Each of the 9 rules above modify n9 (adder) and n5 (bitmask).
If $n9 > 99, exim adds a "Potential SPAM" header and logs the message&mask
If $n9 > 0, exim logs it as a warning (to tune the rules).

> > memcpy(0x080d9268, "", 0)                         = 0x080d9268

>
> The code for that is
>       body[0] = 0;
> Is your Exim compiled in some kind of debugging mode? I would have
> expected a compiler to compile inline code for that statement.


I'm running Debian/Sid ... The diff.gz has this:
(http://ftp.debian.org/debian/pool/main/e/exim/exim_3.33-1.diff.gz)

--- exim-3.33.orig/OS/Makefile-Linux
+++ exim-3.33/OS/Makefile-Linux
@@ -3,12 +3,12 @@

BASENAME_COMMAND=look_for_it

-CFLAGS=-O
+CFLAGS = -O2 -g -Wall


So it looks like the answer would be "yes".

Thanks,
Chris