[sniffer] Re: IP Change on rulebase delivery system

[DFN systems]

Commtouch


Ryan Bair

 Original message 
Subject: [sniffer] Re: IP Change on rulebase delivery system 
From: Richard Stupek  
To: Message Sniffer Community  
CC:  

Can you point me at the documentation for the truncate blacklist and its usage?


On Thu, May 23, 2013 at 3:36 PM, Pete McNeil  
wrote:
On 2013-05-23 15:22, Richard Stupek wrote:
Looks like I have this issue again (pegging 4 core cpu) and resetting the 
process doesn't make a difference.  Not sure what is causing it but it does 
slow down spam detection to 40-50 seconds for many emails.  Any ideas what I 
can look at or do to resolve this?

Check the message sizes. As part of the newest spam storms we've noticed that a 
lot of the messages are huge (65536++). I suspect this might impact throughput 
as large buffers are allocated and moved around to handle these messages. This 
kind of thing has also been known to cause NTFS to crawl.

Please let us know what you find.

If you are not already doing it -- you should consider blocking connections 
using the truncate blacklist. No sense taking on some of these messages if they 
can be eliminated up front.


_M

-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller


#
This message is sent to you because you are subscribed to
 the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: IP Change on rulebase delivery system

[Pete McNeil]

On 2013-05-23 17:37, Richard Stupek wrote:

Mine can speak XCI, its custom.


Kewl -- then you can use GBUdb for local IP reputation data whenever you 
like. That could be very useful.


Anything you can do with SNFClient you can do with XCI -- SNFClient is 
just a command line translator.


Since you can do that, one thing you might consider doing is to use 
GBUdb for targeted gray-listing.


_M

--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller


#
This message is sent to you because you are subscribed to
 the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: IP Change on rulebase delivery system

[Richard Stupek]

Thanks for the info.  Mine can speak XCI, its custom.


On Thu, May 23, 2013 at 4:31 PM, Pete McNeil
wrote:

> On 2013-05-23 17:21, Richard Stupek wrote:
>
>> Would this: http://armresearch.com/**support/articles/software/**
>> snfServer/xci/gbudb.jspyield
>>  the same results as using the ip4 blocklist?
>>
>
> No. Asking your local GBUdb about an IP will only give you a local
> perspective.
>
> The truncate blacklist contains the currently active worst-of-the-worst as
> seen by all SNF nodes working together.
>
> Also -- getting your MTA to pay attention to your local GBUdb is
> nontrivial since no MTA software (that I know of) can "speak" XCI yet.
>
>
> _M
>
> --
> Pete McNeil
> Chief Scientist
> ARM Research Labs, LLC
> www.armresearch.com
> 866-770-1044 x7010
> twitter/codedweller
>
>
> ##**##**#
> This message is sent to you because you are subscribed to
>  the mailing list .
> This list is for discussing Message Sniffer,
> Anti-spam, Anti-Malware, and related email topics.
> For More information see http://www.armresearch.com
> To unsubscribe, E-mail to: 
> To switch to the DIGEST mode, E-mail to 
> 
> >
> To switch to the INDEX mode, E-mail to 
> Send administrative queries to  
> 
> >
>
>

[sniffer] Re: IP Change on rulebase delivery system

[Pete McNeil]

On 2013-05-23 17:21, Richard Stupek wrote:
Would this: 
http://armresearch.com/support/articles/software/snfServer/xci/gbudb.jsp yield 
the same results as using the ip4 blocklist?


No. Asking your local GBUdb about an IP will only give you a local 
perspective.


The truncate blacklist contains the currently active worst-of-the-worst 
as seen by all SNF nodes working together.


Also -- getting your MTA to pay attention to your local GBUdb is 
nontrivial since no MTA software (that I know of) can "speak" XCI yet.


_M

--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller


#
This message is sent to you because you are subscribed to
 the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: IP Change on rulebase delivery system

[Richard Stupek]

Would this:
http://armresearch.com/support/articles/software/snfServer/xci/gbudb.jsp yield
the same results as using the ip4 blocklist?


On Thu, May 23, 2013 at 4:11 PM, Pete McNeil
wrote:

> On 2013-05-23 16:41, Richard Stupek wrote:
>
>> Can you point me at the documentation for the truncate blacklist and its
>> usage?
>>
> http://gbudb.com/truncate/**index.jsp
>
> It's an ordinary ip4 dnsbl.
>
> Most email systems have some mechanism for blocking connections based on
> this kind of blacklist.
>
> Hope this helps,
>
>
> _M
>
> --
> Pete McNeil
> Chief Scientist
> ARM Research Labs, LLC
> www.armresearch.com
> 866-770-1044 x7010
> twitter/codedweller
>
>
> ##**##**#
> This message is sent to you because you are subscribed to
>  the mailing list .
> This list is for discussing Message Sniffer,
> Anti-spam, Anti-Malware, and related email topics.
> For More information see http://www.armresearch.com
> To unsubscribe, E-mail to: 
> To switch to the DIGEST mode, E-mail to 
> 
> >
> To switch to the INDEX mode, E-mail to 
> Send administrative queries to  
> 
> >
>
>

[sniffer] Re: IP Change on rulebase delivery system

[Pete McNeil]

On 2013-05-23 16:41, Richard Stupek wrote:
Can you point me at the documentation for the truncate blacklist and 
its usage?

http://gbudb.com/truncate/index.jsp

It's an ordinary ip4 dnsbl.

Most email systems have some mechanism for blocking connections based on 
this kind of blacklist.


Hope this helps,

_M

--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller


#
This message is sent to you because you are subscribed to
 the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: IP Change on rulebase delivery system

[Richard Stupek]

Can you point me at the documentation for the truncate blacklist and its
usage?


On Thu, May 23, 2013 at 3:36 PM, Pete McNeil
wrote:

> On 2013-05-23 15:22, Richard Stupek wrote:
>
>> Looks like I have this issue again (pegging 4 core cpu) and resetting the
>> process doesn't make a difference.  Not sure what is causing it but it does
>> slow down spam detection to 40-50 seconds for many emails.  Any ideas what
>> I can look at or do to resolve this?
>>
>
> Check the message sizes. As part of the newest spam storms we've noticed
> that a lot of the messages are huge (65536++). I suspect this might impact
> throughput as large buffers are allocated and moved around to handle these
> messages. This kind of thing has also been known to cause NTFS to crawl.
>
> Please let us know what you find.
>
> If you are not already doing it -- you should consider blocking
> connections using the truncate blacklist. No sense taking on some of these
> messages if they can be eliminated up front.
>
>
> _M
>
> --
> Pete McNeil
> Chief Scientist
> ARM Research Labs, LLC
> www.armresearch.com
> 866-770-1044 x7010
> twitter/codedweller
>
>
> ##**##**#
> This message is sent to you because you are subscribed to
>  the mailing list .
> This list is for discussing Message Sniffer,
> Anti-spam, Anti-Malware, and related email topics.
> For More information see http://www.armresearch.com
> To unsubscribe, E-mail to: 
> To switch to the DIGEST mode, E-mail to 
> 
> >
> To switch to the INDEX mode, E-mail to 
> Send administrative queries to  
> 
> >
>
>

[sniffer] Re: IP Change on rulebase delivery system

[Pete McNeil]

On 2013-05-23 15:22, Richard Stupek wrote:
Looks like I have this issue again (pegging 4 core cpu) and resetting 
the process doesn't make a difference.  Not sure what is causing it 
but it does slow down spam detection to 40-50 seconds for many emails. 
 Any ideas what I can look at or do to resolve this?


Check the message sizes. As part of the newest spam storms we've noticed 
that a lot of the messages are huge (65536++). I suspect this might 
impact throughput as large buffers are allocated and moved around to 
handle these messages. This kind of thing has also been known to cause 
NTFS to crawl.


Please let us know what you find.

If you are not already doing it -- you should consider blocking 
connections using the truncate blacklist. No sense taking on some of 
these messages if they can be eliminated up front.


_M

--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller


#
This message is sent to you because you are subscribed to
 the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: IP Change on rulebase delivery system

[Greg Coffey]

I've been blocking subnets to the mail server manually for the past 10 days or 
so.  Scan the logs and look at common IP sources for spam.  PITA but I've got 
it under control.  One of the earlier schemes I noticed was from .pw and .in 
top level domains.  What I'm seeing now are messages coming from assorted 
domains but from a common subnet and hosting company - some US based.  I've had 
mail queued up for 20-30 mins before delivery before adding some firewall 
rules.  My mail server is an i5 running Windows Server.  

-- Original Message --
From: Richard Stupek 
Reply-To: "Message Sniffer Community" 
Date:  Thu, 23 May 2013 14:22:59 -0500

>Looks like I have this issue again (pegging 4 core cpu) and resetting the
>process doesn't make a difference.  Not sure what is causing it but it does
>slow down spam detection to 40-50 seconds for many emails.  Any ideas what
>I can look at or do to resolve this?
>
>
>On Fri, Mar 29, 2013 at 12:27 PM, Pete McNeil
>wrote:
>
>> On 2013-03-29 12:59, Richard Stupek wrote:
>>
>>> well when all else fails restarting snf seems to have corrected the issue
>>> for now.
>>>
>>
>> In that case, it is likely that RAM fragmentation was involved. Dropping
>> the process allowed the fragmentation to be cleared. (theory).
>>
>>
>> Best,
>> _M
>>
>> --
>> Pete McNeil
>> Chief Scientist
>> ARM Research Labs, LLC
>> www.armresearch.com
>> 866-770-1044 x7010
>> twitter/codedweller
>>
>>
>> ##**##**#
>> This message is sent to you because you are subscribed to
>>  the mailing list .
>> This list is for discussing Message Sniffer,
>> Anti-spam, Anti-Malware, and related email topics.
>> For More information see http://www.armresearch.com
>> To unsubscribe, E-mail to: 
>> To switch to the DIGEST mode, E-mail to 
>> 
>> >
>> To switch to the INDEX mode, E-mail to 
>> Send administrative queries to  
>> 
>> >
>>
>>
>
>

--
Thanks, Greg

AllureTech/CoffeyNet  www.atwy.net
1546 E Burlington Ave
Casper, WY  82601 307.473.2323
--

#
This message is sent to you because you are subscribed to
  the mailing list .
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: 
To switch to the DIGEST mode, E-mail to 
To switch to the INDEX mode, E-mail to 
Send administrative queries to  

[sniffer] Re: IP Change on rulebase delivery system

[Richard Stupek]

Looks like I have this issue again (pegging 4 core cpu) and resetting the
process doesn't make a difference.  Not sure what is causing it but it does
slow down spam detection to 40-50 seconds for many emails.  Any ideas what
I can look at or do to resolve this?


On Fri, Mar 29, 2013 at 12:27 PM, Pete McNeil
wrote:

> On 2013-03-29 12:59, Richard Stupek wrote:
>
>> well when all else fails restarting snf seems to have corrected the issue
>> for now.
>>
>
> In that case, it is likely that RAM fragmentation was involved. Dropping
> the process allowed the fragmentation to be cleared. (theory).
>
>
> Best,
> _M
>
> --
> Pete McNeil
> Chief Scientist
> ARM Research Labs, LLC
> www.armresearch.com
> 866-770-1044 x7010
> twitter/codedweller
>
>
> ##**##**#
> This message is sent to you because you are subscribed to
>  the mailing list .
> This list is for discussing Message Sniffer,
> Anti-spam, Anti-Malware, and related email topics.
> For More information see http://www.armresearch.com
> To unsubscribe, E-mail to: 
> To switch to the DIGEST mode, E-mail to 
> 
> >
> To switch to the INDEX mode, E-mail to 
> Send administrative queries to  
> 
> >
>
>