Hi, > I do not know about now but I had to unload the modules in question. > Just clearing the rules was not enough to ensure that the netfilter > connection tracking modules were not using any cpu at all. Thanks for pointing this out. Being a noob admin as my pseudonym states, I'd assumed stopping apf and restarting iptables was sufficient. I'll have to look up unloading module later. > /me shrugs. When I was the mta admin at Outblaze Ltd. (messaging > business now owned by IBM and called Lotus Live) spammers always ensured > I got called. All they do is just press the big red button (aka start > the script/system) and then go and play while I would have to deal with > whatever was started. Based on the almost precise timing of around 9:30 to 5:30 India time, I'm inclined to think in my case it wasn't so much a spammer pressing a red button but a compromised machine in an office starting up when the user gets into office and knocks off on time at 5:30 :D > I remember only one occasion when the spams were > launched but neutralized very soon because they were pushing a website > and I found a sample real early and so the anti spam system could just > dump the spams and knock out accounts being used to send the crap. Could I ask how do I knock out the accounts sending the crap if they are not within my systems? > First, try rmmod'ing the netfilter modules after you have cleared away > the state related rules to make sure that you are only using static > rules in netfilter...unless you have done that already.. I think I'm only using static rules because after I restart iptables, I would then do a service iptables status to check my rules were in, and that list was very short compared to when APF was active. The good news is, I think I've fixed the big problem after doing my shutdown tests and returned to the original problem.