Re: [Declude.JunkMail] Timing out with latest Microsoft patch

[Matthew Bramble]

Keith, I still haven't applied the patch, but will report back when I do. Regarding that one problem customer posting their entire directory on the Web; you might want to suggest that they either URL encode or HTTP encode their entire address in the MAILTO tags and displayable text on their site.  I'm not aware of address harvesters bothering to decode such things, so it should keep their addresses from getting on more lists, and the traffic should fall.  This works fine with everything I have tested it with.  They could even be extra tricky and mix the two.  It's a good suggestion for everyone to follow, and something that I didn't think of before writing a recent filter.  http://www.redkernel-softwares.com/?url_encode,tool Since your question about outgoing E-mail hasn't been answered yet, I'll try.  Anything in your Global.cfg that says WARN, IGNORE, HOLD, or other actions seen in your $default$.junkmail files is an outgoing test and can be commented out.  It's probably a small list and often cached on your server because of similar IP's.  I think the concept of Declude Hijack is better for the outgoing stuff personally, but I haven't had a need yet to try it being as small as I am.  That would definitely take care of your WAP issue, and the page on it says that SMTP AUTH or IP tracking isn't required for it to work. Regarding DNS caching, I know that IMail 8 will now allow a cache of up to 5,000 lookups.  I don't know though if Declude hands off to IMail for this functionality.  That might be something to look in to.  Also, when you say that you have a caching server in front of Declude, is that on the same box?  I can't imagine that running a caching DNS server on the same box for it's exclusive use would do anything but speed things up.  Just guessing though, and not quite sure of what your answer was.  No data leaves your machine for a local lookup.  That could be potentially huge for you, and easy to test out some night.  Consider my suggestion in the last note also for automated ping testing the various RBL's and updates to your config file.  That could make a huge difference for your server when one or several of these servers becomes unreachable or overly slow. Someone else mentioned to me the problem of WAP recently.  Hopefully there will evolve a blocklist for these things, and considering that they problem should be for the time being, isolated to certain areas, i.e.not in Nebraska because you would have to move quite a distance after they figure you out the first time.  I also just found another customer being blocked by their DSL provider from outbound port 25, so this seems to be becoming more common from the ISP's that don't want to lose bandwidth or bet blocked themselves.  Thankfully these guys, heaven.net (marketed under a different name) are allowing it on request and they monitored for exclusions before shutting it off for most of their customers.  It may be necessary for community WAPs to have some sort of port 25 constriction, in order to stop this behavior.  Then again, who would have thunk that 3 years ago, there would be open relays in every office? Keep us posted. Matt Keith Anderson wrote: Have you customized any registry settings for TCP/IP? No. Haven't needed to. with your DNS lookups. First, you should be downloading TXT records from the RBL's instead of doing remote lookups. That should save you a ton of resources. We have a caching DNS server in front of Declude that's getting about a 98% cache hit on the lookups right now, which says a lot about spammer demographics. We experimented with TXT records when we were still evaluating Declude (and many others) and it didn't change performance enough to be worth more than the benefit of real-time lookups. We get so much email here, five minutes sometimes makes a difference in how much spam is caught. (Hey Scott "god of spam blocking" Perry, if you're reading this, a caching feature internal to Declude would be a nice feature... just keep the last 1500 or so lookups in memory with a configurable TTL... now that would be really cool.) I do know that switching to "Bounce" on any of the tests causes the server to immediately bog down. :) If you insist on testing the outgoing stuff, why not try Declude Hijack instead of JunkMail? It's got to be a whole bunch easier on your Is there a way to disable outbound testing in the "pro" version? I couldn't see that in the documentation (but I haven't really looked that hard, either). With the mess that Microsoft has created over the last couple of months, I haven't had time to look at the other Declude options, but will do. My biggest client published all of their employees' email addresses on their web page (a bright move, eh?), becoming one of the reasons why blocking the incoming hurricane of spam has been such a priority. Declude has been enormously successful! could turn off some tests like DUL lists to save on resources? We don't run an open relay, so this doesn't matter. The biggest risk we have is from people finding our customers' wireless access points and using them to spam. We had someone in July park his car in front of a client's building and send over a million emails. Fortunately a sharp-eyed IT guy caught him and he is now Bubba's boyfriend. Our customers have been extremely resistant to SMTP authentication, and in some cases we've blocked SMTP from the WAPs. Paying Microsoft for a trouble ticket also isn't anywhere near as expensive as a new server either. It's pretty clear they broke your setup, and from reading the bulletin, it shouldn't be limiting your My experience is this is just about as good at yelling at the sky for rain. I read, there is no danger if you are isolated behind a firewall that is blocking ports that you should be blocking by default. Right-- the biggest risks are from the inside, not from the outside. You can't cure stupid, and someone in the organization will eventually cause a problem if we don't protect ourselves. So the server is now talking through firewalls on both ends until we get this figured out. By the way, thanks for your help.