Re: [Declude.JunkMail] 2005 SpamHeaders - Fix -

[Matt]

That would rule out an increase in volume, and also the potential of a bug with an external test.  So if in fact no other changes were made  as far as filters go, I would look at your system next (make absolutely sure that this is correct).  Check the fragmentation on all partitions and defrag everything (multiple times until almost perfect).  The way that IMail and Declude logs creates massively fragmented files, and even if you have a lot of disk space left over, the entire partition might be filled with fragments causing excessive slowdowns.  If you are running RAID 5 or some sort of mirror, make sure that you aren't down a drive because that can cause similar slowdowns.  Please also post the standard size of your IMail log just to give an impression of the volume that you are doing. Matt Joshua M. Hughes wrote: The mailboxes are local to the server. We're really not using many external tests unless you consider the several Filters an IPfile and a couple of fromfiles and spamdomains external. Other than that, all dns tests and predefined tests. I have not noticed a large increase in log file size. I looked at the log file size for both declude and smtp and they look pretty close to usual. Looks like I'm going to start the "binary way"... Thank you, Joshua Sunline Team (941) 206-7870 http://www.sunline.net/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Colbeck, Andrew Sent: Wednesday, January 05, 2005 1:29 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] 2005 SpamHeaders - Fix - Joshua, if I remember correctly, the IMail daily report shows you the number of messages inbound to your mailserver, but it does not show the number of recipients. You may be getting hit with a "dictionary attack". Others on this list have seen this before in various guises. On my own mailserver, I've seen a large increase in the number of targeted addresses for each spam message. Declude will run through most (all?) of your configuration for each addressee on a message. Is your mailserver a gateway, or are the mailboxes local to that server? In other words, do you have envelope rejection? If the mailboxes are local, then you do have envelope rejection and you don't have to worry about extra processing time due to bogus addresses generated by the spammer. Then you're back to trying Scott's suggestion for doing a "binary search" for slow external tests or slow DNS tests. Oh, two other suggestions: Do a disk defrag, and check for swollen log sizes. On a busy server, adding a few lines of logging text to the end of a 30 MB file takes longer than you would want, and is exacerbated by a fragmented log file. Also, if you're using the SPF tests, check the size of your: c:\declude.log c:\spf.log c:\spf.none files, which will continuously grow. Because they do not have dated-based names, if you don't delete them, they will just get bigger. I'm now running v1.82 and those files are no longer being created. Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Joshua M. Hughes Sent: Wednesday, January 05, 2005 9:44 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] 2005 SpamHeaders - Fix - Sorted by CPU the system process is first and second is a toss up between declude, smtpd32, and queuemgr followed by as many as 16 simultaneous instances of declude with cpu between 1 and 4. The system is running at 45 to 60 and at times Declude shows up first between 45 and 60. When I change the delivery application to smtp32.exe the system process drops between 8 to 11 and finally the top of the list is the system idle process. No knew filters have been added. In the global.cfg file there was a whitelisted address and a whitelisted domain. For the whitelisted domain I created a folder in the imail\delcude Folder for that domain with a blank $default$.junkmail. For the one whitelisted address a I created a folder for that domain in the imail\declude folder with the $default$.junkmail "copy not blank" and created a blank user.junkmail file for that user. These changes have been reversed and still have not solved the issue. Does creating a domain folder with a blank $default$.junkamil file, as compared to whitelisting a domain in the global.cfg, use more processing power? Thank you, Joshua Sunline Team (941) 206-7870 http://www.sunline.net/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry Sent: Wednesday, January 05, 2005 12:02 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] 2005 SpamHeaders - Fix I have not upgraded to fix the 2005 spamheaders test as of yet. Our CPU has been maxed out and the server bogged down since my return after the New Year. I have commented out the spamheaders test and the CPU is still maxed. I went into IMAIL and changed the delivery application >from declude.exe to smtp32.exe and restarted the SMTP service and the processing dropped from 100% to approximately 13% - 20%. I placed the declude.exe back in as the delivery application and the processor utilization shot right back up. This narrows it down to declude however, I have not yet pin pointed exactly what is causing the increase in processor usage. When you go to the Process tab in the Task Manager, and click on the CPU button, which process(es) are nearest to the top? Note that this should not be related to the SPAMHEADERS issue. Did you make any changes to the Declude configuration recently (such as adding filters, which can eat up CPU time, depending on what they do and how they are designed)? I don't want to go through and comment out each test one at a time to find which the offender is. If it does come to that, you can do it the "binary way." First, comment out 1/2 the tests. If the problem continues, uncomment the ones you just commented out, and comment out 1/2 of the ones that you did not comment out (if the problem does not continue, do the opposite -- uncomment 1/2 of the ones that you commented out originally). If you have 30 tests, you'll only have to do this 5 times. The drawback is that during the few minutes you are doing this, spam is more likely to come through. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000. Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection. Find out what you've been missing: Ask for a free 30-day evaluation. ---- This outgoing message is guaranteed to be authentic by Message Level users. Guarantee the authenticity of your email @ http://www.messagelevel.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================