Hi Matt, Yep.
I'm afraid we're already running AVAFTERJM. However, since there are some domains we only scan for virus content and not spam, at the customer's request, then we probably have a CPU hit there due to virus scanning that isn't buffered by spam filtering. We definitely see a lot to these domains showing up in the Virus Hold queue. We needed to migrate anyway, this just pushed up the schedule. The hardware was purchased earlier this year for an IMail 2006 upgrade that we're still holding off of. Unfortunately this storm hit in a week with a couple of larger development projects due, and surgery planned for an immediate family member (it was this afternoon and went well). In any case, the load is being handled well by the new hardware.... for now. Time to get to planning for future increases. Darin. ----- Original Message ----- From: Matt To: declude.junkmail@declude.com Sent: Saturday, August 04, 2007 12:09 AM Subject: Re: [Declude.JunkMail] Spam Increase? Darin, The CPU increase was due to the high volume of ZIP and XLS viruses, something that has been pretty rare until recently. The Storm botnet started sending these out on Saturday in numbers that average about one attached virus per day per user on our system (which was a change from sending out the fake greeting cards which did not attach the viruses). That's a lot of virus scanning going on, and it is also more bandwidth than before. There's nothing worse for CPU on the average Declude system than to do virus scanning, especially with multiple scanners. The good news is that the virus traffic should drop back down soon, but the bad news is that the Storm botnet is generating now about 4 times the number of messages (spam and viruses) as it did just one month ago on my system, and it accounts for about 40% of all spam and virus traffic that survives greylisting, and the overall percentage increase in traffic that you are seeing is exclusively coming from the Storm botnet. If you aren't doing this already, you might try running Declude Virus after Declude JunkMail, that way if you run DELETE or HOLD on a message, it will avoid having Declude Virus run on it, and that can save significantly on CPU during times like this. Any other action will still result in virus scanning, so don't worry about things being skipped if you do COPYTO, ROUTETO, SUBJECT or WARN. This might well be old news to you, but it's worth mentioning. Despite the change in volume and in using attachments, I have not seen a large uptick in CPU on my system because I use the above method, and on a weekly basis, 99.4% of the Storm botnet messages are reaching our DELETE weight and not needing to be virus scanned. I attribute the relative 10% increase over last week to the change in volume. The following chart shows the effect on an 8 core server: Matt Darin Cox wrote: We've saw about a 15% increase a few days ago, and it has stayed there. Bandwidth increase was significantly more than that, though. Took our primary mail server from 20-40% cpu to 50-80%. We just upgraded last night to deal with it. Darin. ----- Original Message ----- From: "Pete McNeil" <[EMAIL PROTECTED]> To: "John T (lists)" <declude.junkmail@declude.com> Sent: Friday, August 03, 2007 8:54 PM Subject: Re[2]: [Declude.JunkMail] Spam Increase? Spam has significantly increased in the past 7 days due to new bot nets (from old friends) and a number of new tactics for generating pdf and related spam and their mutations. I've attached a new-spam/leakage analysis from our primary spamtraps- you can see that new traffic quite literally more than doubled (like a vertical wall) 7 days ago. Hope this helps, _M On Friday, August 3, 2007, 6:19:30 PM, John wrote: JTl> I actually saw it ramping up since last weekend and every day there have JTl> been a change or 2 in the spam to keep it from being caught. JTl> John T -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Friday, August 03, 2007 2:35 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Spam Increase? Anyone else noticing an increase in spam today? It seems like stuff that was normally being caught before is showing up in my Inbox. Todd --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. JTl> --- JTl> This E-mail came from the Declude.JunkMail mailing list. To JTl> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and JTl> type "unsubscribe Declude.JunkMail". The archives can be found JTl> at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
<<chart.gif>>