Ever since we implement the hijack features of the suite we have caught these kinds of infections. Any one of our clients sending more than x amount of e-mails has them trapped for our review. This has saved us 5 times in the last year
Thank you Harry Vanderzand Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: April-28-09 3:18 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, We had a similar situation happen about a week ago. For us, it turned out that one of our clients was infected with a virus/spyware/malware and was sending hundreds of thousands of spam messages. We had WHITELIST AUTH in the global.cfg. Once he authenticated, he was whitelisted. The system just could not keep up with the load. Once we figured out what was happening it took us a while to identify which account it was. I found that with LOGLEVEL MID, there is a line in the DECmmdd.LOG file that has the text "[Authenticated:<email address>]". By searching the file and finding an unusually large volume of them from one user showed me which account to disable. Hope this helps, Don ----- Original Message ----- From: nick <mailto:n...@madriveraccess.com> To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 12:31 PM Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, Are you getting a lot of invalids? In other words maybe too much traffic for some reason. Also are you scanning for virii after junkmail runs? -Nick _____ From: "Serge" <se...@cefib.com> Sent: Tuesday, April 28, 2009 1:04 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup first thing i did tested the DNS and looked at declude logs no problem there my cpus were not able to handle the traffic, as simple as that ----- Original Message ----- From: David Barker <mailto:dbar...@declude.com> To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 4:00 PM Subject: RE: [Declude.JunkMail] Global.cfg cleanup Serge, have you checked to make sure you not having DNS issues. DNS causes 80% of the issues with delays. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax <mailto:dbar...@declude.com> dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge Sent: Tuesday, April 28, 2009 11:51 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Global.cfg cleanup Importance: High For about a week my server (2xP3xeon 2.8GHz) was beiing saturated by an increase of traffic 100% CPU for hours and ten of thousands of messages in \proc the servers was working fine for several years something had to be done, decided to clean global.cfg, and need help optimizing AVafterJM was on Cleaned global.cfg left only Sniffer, Zerohour, some builtin tests, and a couple of filters the server is now stable, but i need some answers to decide what to do next 1- loglevel and logOK have any effects on CPU ? 2- Any DNS tests that are realy important ? (for now, I removed all) 3- Any of the following external tests / Filters are important, or are they outdated ? TIA #HELOISIP external nonzero "E:\imail\filters\heloisip\heloisip.exe" 3 0 #HELOISIPX external nonzero "E:\imail\filters\heloisip\heloisipx.exe" 3 0 #SIZE-S external 11 "CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000" 0 0 #SIZE-M external 12 "CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000" -10 0 #SIZE-L external 13 "CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000" -20 0 #SIZE-XL external 14 "CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000" -30 0 #SPAMCHK external weight "E:\spamchk\spamchk.exe" #INV-URIBL external weight "E:\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP%" 0 0 ############################################################################ ################################## #GIBBERISH filter E:\IMail\Filters\Gibberish.txt x 0 0 #GIBBERISHSUB filter E:\IMail\Filters\GibberishSub.txt x 0 0 #DYNAMIC filter E:\IMail\Filters\Dynamic.txt x -1 0 #SURBL filter E:\IMail\Filters\Surbl\surbl.txt x 1 0 #OFFENSIVE filter E:\IMail\Filters\offensive.txt x 0 0 ############################################################################ ################## # Good attribute Checks, KM00 #FALSE-AOL filter E:\Imail\KM00\False_AOL.txt x 0 0 #FALSE-YAHOO filter E:\Imail\KM00\False_Yahoo.txt x 0 0 #FALSE-HOTMAIL filter E:\Imail\KM00\False_Hotmail.txt x 0 0 #FALSE-TELEFONICA filter E:\Imail\KM00\False_telefonica.txt x 0 0 #GOOD-TELEFONICA filter E:\Imail\KM00\good_telefonica.txt x 0 0 #GOOD_HOTMAIL filter E:\Imail\KM00\Good_Hotmail.txt x 0 0 #GOOD_AOL filter E:\Imail\KM00\Good_Aol.txt x 0 0 #GOOD_Yahoo filter E:\Imail\KM00\Good_Yahoo.txt x 0 0 ############################################################################ ################## #FILTER-BODYURL filter E:\Imail\KM00\IMail_Filter_URLinBody.txt x 0 0 #FILTER-SPAMMER-COMPANY filter E:\Imail\KM00\IMail_Filter_SpammerCompany.txt x 0 0 #FILTER-PORN filter E:\Imail\KM00\IMail_Filter_PornoSite.txt x -2 0 #FILTER-PORNw filter E:\Imail\KM00\IMail_Filter_PornoSite.txt x -5 0 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
