[Declude.JunkMail] New all_list.dat 03 Aug 07
Available from downloads section under Declude My Account home page. David Barker VP Operations | Declude Your Email Security is our business O: 978.499.2933 x7007 F: 978.988.1311 E: [EMAIL PROTECTED] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Not to write headers with tests
Hi list I'm running Declude 4.3.46, with some domains being scanned by spam and viruses, and some others not. The $default$.junkmail file, on top of the Declude Folder, is with LOG in all actions. Only the scanned users, into the domains have user.junkmail with SUBJECT Action. Or for the entire domain, the $default$.junkmail with the SUBJECT Action. But the mails to the domains not to be scanned have in the header the Declude tests. There's no folder for such domains, so nothing to apply. Just the $Default$. Is there a way to avoid it? Because such users, by applying Header Rules, can 'abuse' of the Declude AntiSpam without any payment for the service, and beyond that, we are scanning ALL mails, instead of those that pay for the servi --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Not to write headers with tests
My polities to be rudefat fingers hitted SEND before the pay for the service. Thanks in advance Andres -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Ing. Andrés E. Gallo Enviado el: Viernes, 03 de Agosto de 2007 16:27 Para: declude.junkmail@declude.com Asunto: [Declude.JunkMail] Not to write headers with tests Hi list I'm running Declude 4.3.46, with some domains being scanned by spam and viruses, and some others not. The $default$.junkmail file, on top of the Declude Folder, is with LOG in all actions. Only the scanned users, into the domains have user.junkmail with SUBJECT Action. Or for the entire domain, the $default$.junkmail with the SUBJECT Action. But the mails to the domains not to be scanned have in the header the Declude tests. There's no folder for such domains, so nothing to apply. Just the $Default$. Is there a way to avoid it? Because such users, by applying Header Rules, can 'abuse' of the Declude AntiSpam without any payment for the service, and beyond that, we are scanning ALL mails, instead of those that pay for the servi --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] automated response
I am on vacation and will be returning on Auguest 13th --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Spam Increase?
Anyone else noticing an increase in spam today? It seems like stuff that was normally being caught before is showing up in my Inbox. Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Spam Increase?
I actually saw it ramping up since last weekend and every day there have been a change or 2 in the spam to keep it from being caught. John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Friday, August 03, 2007 2:35 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Spam Increase? Anyone else noticing an increase in spam today? It seems like stuff that was normally being caught before is showing up in my Inbox. Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Imail QueueMgr.exe consumes all Paged Pool
Sorry for cross-posting. I'm not sure whether Declude and/or Sniffer still rely on the Paged Pool - and whether their usage would be reported under the Imail QueueMgr.exe or under some other .exes? So I have 3 possible culprits. The symptom started as a Webmail problem because customers noticed they couldn't send emails any longer due to Bad Socket State. However, when I log into the physical machine, the REAL problem is that I cannot open ANY TCP/IP connections to any IP address (on that same machine or on neighboring machines). I can still PING (is ICMP works), but TELNET, FTP, HTTP - all are unable to create a socket. FTP.exe reported that it doesn't have enough buffer space. That caused me to turn on Task Manager and add the columns for VM Size and Paged Pool. Normally, the various processes only use less than 100K of Paged Pool - even the IIS Web Process uses only 300K. However, QueueManager was up to 4500K. Restarting QueueMgr.exe service reset it to 200K or so. But, I there are time spans where it consumes an extra K every second - now already up to 800 K again - before it levels off for a while and then keeps doing it again. Oddly enough, this problem only started yesterday - even though 2006.21 has been running since 7/16/2007 - and now seems to accelerate (happened twice today!) My obvious suspicion is that there is a 'certain' email or type of spam that's causing this QueueMgr behavior - what else would account for this to start happening NOW. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Spam Increase?
Spam has significantly increased in the past 7 days due to new bot nets (from old friends) and a number of new tactics for generating pdf and related spam and their mutations. I've attached a new-spam/leakage analysis from our primary spamtraps- you can see that new traffic quite literally more than doubled (like a vertical wall) 7 days ago. Hope this helps, _M On Friday, August 3, 2007, 6:19:30 PM, John wrote: JTl I actually saw it ramping up since last weekend and every day there have JTl been a change or 2 in the spam to keep it from being caught. JTl John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Friday, August 03, 2007 2:35 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Spam Increase? Anyone else noticing an increase in spam today? It seems like stuff that was normally being caught before is showing up in my Inbox. Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. JTl --- JTl This E-mail came from the Declude.JunkMail mailing list. To JTl unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JTl type unsubscribe Declude.JunkMail. The archives can be found JTl at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.attachment: 2007080330daySnapshotVerticalWall.png
Re: [Declude.JunkMail] Spam Increase?
I think we started seeing it last Saturday... pretty constant since then. Fortunately it's almost entirely being caught so our customers are not seeing it. Darin. - Original Message - From: John T (lists) [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Friday, August 03, 2007 6:19 PM Subject: RE: [Declude.JunkMail] Spam Increase? I actually saw it ramping up since last weekend and every day there have been a change or 2 in the spam to keep it from being caught. John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Friday, August 03, 2007 2:35 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Spam Increase? Anyone else noticing an increase in spam today? It seems like stuff that was normally being caught before is showing up in my Inbox. Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.JunkMail] Spam Increase?
We've saw about a 15% increase a few days ago, and it has stayed there. Bandwidth increase was significantly more than that, though. Took our primary mail server from 20-40% cpu to 50-80%. We just upgraded last night to deal with it. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: John T (lists) declude.junkmail@declude.com Sent: Friday, August 03, 2007 8:54 PM Subject: Re[2]: [Declude.JunkMail] Spam Increase? Spam has significantly increased in the past 7 days due to new bot nets (from old friends) and a number of new tactics for generating pdf and related spam and their mutations. I've attached a new-spam/leakage analysis from our primary spamtraps- you can see that new traffic quite literally more than doubled (like a vertical wall) 7 days ago. Hope this helps, _M On Friday, August 3, 2007, 6:19:30 PM, John wrote: JTl I actually saw it ramping up since last weekend and every day there have JTl been a change or 2 in the spam to keep it from being caught. JTl John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Friday, August 03, 2007 2:35 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Spam Increase? Anyone else noticing an increase in spam today? It seems like stuff that was normally being caught before is showing up in my Inbox. Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. JTl --- JTl This E-mail came from the Declude.JunkMail mailing list. To JTl unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JTl type unsubscribe Declude.JunkMail. The archives can be found JTl at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam Increase?
Darin, The CPU increase was due to the high volume of ZIP and XLS viruses, something that has been pretty rare until recently. The Storm botnet started sending these out on Saturday in numbers that average about one attached virus per day per user on our system (which was a change from sending out the fake greeting cards which did not attach the viruses). That's a lot of virus scanning going on, and it is also more bandwidth than before. There's nothing worse for CPU on the average Declude system than to do virus scanning, especially with multiple scanners. The good news is that the virus traffic should drop back down soon, but the bad news is that the Storm botnet is generating now about 4 times the number of messages (spam and viruses) as it did just one month ago on my system, and it accounts for about 40% of all spam and virus traffic that survives greylisting, and the overall percentage increase in traffic that you are seeing is exclusively coming from the Storm botnet. If you aren't doing this already, you might try running Declude Virus after Declude JunkMail, that way if you run DELETE or HOLD on a message, it will avoid having Declude Virus run on it, and that can save significantly on CPU during times like this. Any other action will still result in virus scanning, so don't worry about things being skipped if you do COPYTO, ROUTETO, SUBJECT or WARN. This might well be old news to you, but it's worth mentioning. Despite the change in volume and in using attachments, I have not seen a large uptick in CPU on my system because I use the above method, and on a weekly basis, 99.4% of the Storm botnet messages are reaching our DELETE weight and not needing to be virus scanned. I attribute the relative 10% increase over last week to the change in volume. The following chart shows the effect on an 8 core server: Matt Darin Cox wrote: We've saw about a 15% increase a few days ago, and it has stayed there. Bandwidth increase was significantly more than that, though. Took our primary mail server from 20-40% cpu to 50-80%. We just upgraded last night to deal with it. Darin. - Original Message - From: "Pete McNeil" [EMAIL PROTECTED] To: "John T (lists)" declude.junkmail@declude.com Sent: Friday, August 03, 2007 8:54 PM Subject: Re[2]: [Declude.JunkMail] Spam Increase? Spam has significantly increased in the past 7 days due to new bot nets (from old friends) and a number of new tactics for generating pdf and related spam and their mutations. I've attached a new-spam/leakage analysis from our primary spamtraps- you can see that new traffic quite literally more than doubled (like a vertical wall) 7 days ago. Hope this helps, _M On Friday, August 3, 2007, 6:19:30 PM, John wrote: JTl I actually saw it ramping up since last weekend and every day there have JTl been a change or 2 in the spam to keep it from being caught. JTl John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Todd Richards Sent: Friday, August 03, 2007 2:35 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Spam Increase? Anyone else noticing an increase in spam today? It seems like stuff that was normally being caught before is showing up in my Inbox. Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. JTl --- JTl This E-mail came from the Declude.JunkMail mailing list. To JTl unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JTl type "unsubscribe Declude.JunkMail". The archives can be found JTl at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. ---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
Re: [Declude.JunkMail] Spam Increase?
Hi Matt, Yep. I'm afraid we're already running AVAFTERJM. However, since there are some domains we only scan for virus content and not spam, at the customer's request, then we probably have a CPU hit there due to virus scanning that isn't buffered by spam filtering. We definitely see a lot to these domains showing up in the Virus Hold queue. We needed to migrate anyway, this just pushed up the schedule. The hardware was purchased earlier this year for an IMail 2006 upgrade that we're still holding off of. Unfortunately this storm hit in a week with a couple of larger development projects due, and surgery planned for an immediate family member (it was this afternoon and went well). In any case, the load is being handled well by the new hardware for now. Time to get to planning for future increases. Darin. - Original Message - From: Matt To: declude.junkmail@declude.com Sent: Saturday, August 04, 2007 12:09 AM Subject: Re: [Declude.JunkMail] Spam Increase? Darin, The CPU increase was due to the high volume of ZIP and XLS viruses, something that has been pretty rare until recently. The Storm botnet started sending these out on Saturday in numbers that average about one attached virus per day per user on our system (which was a change from sending out the fake greeting cards which did not attach the viruses). That's a lot of virus scanning going on, and it is also more bandwidth than before. There's nothing worse for CPU on the average Declude system than to do virus scanning, especially with multiple scanners. The good news is that the virus traffic should drop back down soon, but the bad news is that the Storm botnet is generating now about 4 times the number of messages (spam and viruses) as it did just one month ago on my system, and it accounts for about 40% of all spam and virus traffic that survives greylisting, and the overall percentage increase in traffic that you are seeing is exclusively coming from the Storm botnet. If you aren't doing this already, you might try running Declude Virus after Declude JunkMail, that way if you run DELETE or HOLD on a message, it will avoid having Declude Virus run on it, and that can save significantly on CPU during times like this. Any other action will still result in virus scanning, so don't worry about things being skipped if you do COPYTO, ROUTETO, SUBJECT or WARN. This might well be old news to you, but it's worth mentioning. Despite the change in volume and in using attachments, I have not seen a large uptick in CPU on my system because I use the above method, and on a weekly basis, 99.4% of the Storm botnet messages are reaching our DELETE weight and not needing to be virus scanned. I attribute the relative 10% increase over last week to the change in volume. The following chart shows the effect on an 8 core server: Matt Darin Cox wrote: We've saw about a 15% increase a few days ago, and it has stayed there. Bandwidth increase was significantly more than that, though. Took our primary mail server from 20-40% cpu to 50-80%. We just upgraded last night to deal with it. Darin. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: John T (lists) declude.junkmail@declude.com Sent: Friday, August 03, 2007 8:54 PM Subject: Re[2]: [Declude.JunkMail] Spam Increase? Spam has significantly increased in the past 7 days due to new bot nets (from old friends) and a number of new tactics for generating pdf and related spam and their mutations. I've attached a new-spam/leakage analysis from our primary spamtraps- you can see that new traffic quite literally more than doubled (like a vertical wall) 7 days ago. Hope this helps, _M On Friday, August 3, 2007, 6:19:30 PM, John wrote: JTl I actually saw it ramping up since last weekend and every day there have JTl been a change or 2 in the spam to keep it from being caught. JTl John T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Friday, August 03, 2007 2:35 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Spam Increase? Anyone else noticing an increase in spam today? It seems like stuff that was normally being caught before is showing up in my Inbox. Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. JTl --- JTl This E-mail came from the Declude.JunkMail mailing list. To JTl unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JTl type unsubscribe Declude.JunkMail. The archives can be found JTl at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.