Re: [Declude.JunkMail] Experience with 4.x

[Matt]

Sanford Whiteman wrote:

  I  am not denying _you_ shared credit for the concept with the
Postfix  people,  but the idea that your "friend" the vendor can claim
it  as  intellectual  property,  when  you  spec'd  it  out  and  have
documentation  of  same -- and that that's why you're playing it close
to the vest -- is ridiculous. If it's yours or Brian's, it's yours; in
reality, it's nobody's.
  

I came up with the idea before I ever heard mention of it anywhere
else, and long before 8/2005. I was searching for someone to develop a
gateway from scratch with various improvements/adaptations of existing
techniques as well as new ones since the first half of 2004. Although
ORF saved my arse from dictionary attacks, I realized quickly that it
wasn't ever going to become a reliable way of pre-scanning E-mail and I
wanted more. With something like 6 billion people in this world, and
the concept being as obvious as it seems to me, I definitely wouldn't
suggest that I was the only one to have thought of it, and I'm sure
that I wasn't the first to ever think of it either. This is not
something to waste bytes on.

What does matter in the context though is that Brian made many of these
things work...and then some. His code is his company's property. He
is not the type of guy though to claim rights to such functionality
being the good netizen that he is, and I'm sure that we would all agree
that much of the software technique patent stuff is damaging to
advancements. I don't want to make too much of this one little thing
though because it isn't all that earth shattering to think that it
could be improved. It would something like suggesting that SpamCop
could clean up their false positives by qualifying IP's for listing, or
dequalifying them, sort of like CBL does. It's just my opinion that
there are a lot of good ideas that don't get developed into mature
ideas in this field, and thus far greylisting has been one of them.

Besides greylisting, groups of us have talked about or even implemented
things before they existed to the public. Keith Anderson gets credit
for identifying what a "payload" is and how to extract that information
and use it for blocking E-mail. Group discussions started in 9/2003,
six months before SURBL.org was even registered as a domain, and
clearly the concept pre-existed that day by even longer. We as a group
also came up with enhancements such as resolving payload links to IP's,
or even MX records, NS records to check against URIBL lists as well as
RHSBL lists, and then resolve those again to IP's and look them up in
IP4R lists. Keith even created a product that did this called
Eradispam before anything else that I know of did (besides the straight
URIBL stuff). Not everyone got these ideas from us though, some
clearly came up with it on their own as well.

There are mounds of other inventive if not unique ideas that power
users around here came up with, and some of them we all benefited
from. Scott used to design functionality around community development
and I'm sure that many of us would love to see a return to that
atmosphere. Unfortunately there are more good ideas than there are
great programmers that can make the maximum use of this stuff.

Brian is not only a great programmer, he also brought something very
unique to the table in this framework that made it immensely better
than anything else that does this could be. MXRate when combined with
greylisting is very powerful and allows for greater accuracy as well as
flexibility. MXRate in it's native form isn't just a three zoned IP4R
list, it's probability based and the IP4R version is just backwards
compatibility. This allows users to choose the level of greylisting
and blocking to their own tastes so that they can block more spam and
avoid more false positives/delays. Here's the net result from all 4 of
my MX records now being bound to Alligate on Tuesday:
 Incoming message attempts: 708,777
  Blocked by gateway pre-scanning: 676,397 *likely to be 3/4
dictionary attacks.
   Blocked by Declude JunkMail:  9,228
   Blocked by Declude Virus: 90
   Delivered to customers: 23,062
   Landed in Review range: 980

This change in my infrastructure is the single best thing that I have
done since starting to use Declude. Even though I stood up for Brian's
character when he posted to the list about his product, I didn't even
give the idea of using his product a second thought until we started
exchanging E-mails and I grew to understand that he was an even better
person that I had thought, that he was a good programmer, and he gets
"it".

I think that we should embrace development like this because it is for
the good of everyone, including Declude. Now non-experts can place a
address validating and pre-scanning gateway in front of any Declude
setup whereas before you nearly had to be an expert at this stuff and
be aware of the obscure. The fact that it kills over 99% of zombie
spam with near perfect accuracy also flies in the face of frequent

Re: [Declude.JunkMail] Experience with 4.x

[Matt]

Sandy,

That link indicates that they actually work in reverse by whitelisting
things from greylisting instead this is the other way around where it
qualifies messages for greylisting. Considering how successful and
accurate this method is, I would suggest that it is better. I can't of
course say for sure since I'm not much of a source-code guru or Linux
expert. Nevertheless, the open-source and anti-spam communities have
made huge contributions, and made it possible for people like me to do
what they do, and I'm sure that I wasn't the only one that ever thought
about this...but still to my knowledge, it never existed before.

Regarding intellectual property, it's definitely the wrong way to say
that. I don't have any ownership of anything besides a claim to have
had an idea, but I can't lay any claim to the product whatsoever, and
there are no expectations or discussions of me giving it a rave review
or financial benefit to me outside of what the software itself offers.
It could even be considered a detriment to share things that work well
in the sense that it makes my system less unique, but I couldn't even
come close to quantifying it that way in light of circumstances.

Brian deserves a lot of credit for pulling everything together the way
that he did. It's no small feat to have this working in a stable and
somewhat intuitive manner. This clearly isn't a huge financial venture
either, but I doubt that it is going away anytime soon. It's not
however proper for general discussion to lay all of the functionality
out sort of like how Scott was tight-lipped about some functionality,
but also because it is in fact intellectual property in the legal sense
and I can't make such calls. Things like tarpitting and standard
greylisting are now in some cases being defeated by spammers, and I
suppose that it makes sense to not discuss such things in public.
That's really what I should have said. I do take pride in having the
idea though, even if I wasn't the only one :)

What I did do though is map out enough of a picture for all to see if
they felt the need, and I think that many of us do. I think that it's
valuable to share such things, especially when there have been so few
solutions to date that one could run on the same box and accomplish
pre-scanning with any degree of accuracy and validate addresses. I
described many things about my ORF experiences too when that was the
only app in town that fit that bill to some extent. I'm certainly
guilty for being overly enthusiastic about this one. With the right
tools and not an enormous amount of work, most here could manage pretty
close to the theoretical limit in results.

Matt


Sanford Whiteman wrote:

  
I  have never seen anyone else even talk about selective greylisting
for instance, and I'm so damn grateful that I now have it.

  
  
Well --

  http://packages.debian.org/unstable/mail/whitelister

--  a  postfix  pd that pre-checks messages against lower-impact tests
such  as  DNSBLs  before  escalating  to  postgrey.  In  other  words,
selective greylisting. Released 8/2005.

  
  
If there is still a widespread adversion to this discussion, I would
be happy to take it off-list.

  
  
Gotta  tell ya, you almost had me looking the other way until you said
you  consider the component of the third-party product that you spec'd
out  to  be (your?) "intellectual property." Are we to understand that
you do not have a business relationship with the vendor of the product
under  discussion?  That  you  have  not received compensation, profit
shares,  payment  in kind (free copies) for your design input into the
commercial  product?  Hoping  you're observing full disclosure in your
continuing posts about the product.

--Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
  http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/

Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases!
  http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/
  http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  

RE: [Declude.JunkMail] Experience with 4.x

[Kaj Søndergaard Laursen]

From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Matt
Sent: 26. maj 2006 00:16







Declude could easily plug into
Alligate if they wanted to since it supports dropping files into a directory
instead of delivering them, and then it will pick them up when the external app
is done. I would love to see that happen since I only need IMail as a
container for Declude.



I would also like to see that. I
also only use IMail as a gateway (in front of Exchange), and would like
something that is better. 



I heard some rumors that Declude
is looking at gateway solutions - with a release this summer. Anybody got any
news on that?

Regards,

Kaj

RE: [Declude.JunkMail] Experience with 4.x

[Jay Sudowski - Handy Networks LLC]

Hi Matt -

I am still somewhat confused because you are painting a rather broad picture 
about your success with Alligate, and not really getting down to the nitty 
gritty specifics.  I can appreciate that you may not want to disclose your 
exact configuration.  However, I can't even figure out if all of the things 
you're talking about are available in a stock edition of Alligate with the 
MXRate subscription, or if you've extended the functionality of Alligate in 
ways that are specific to your installation, using tools or features that I 
won't have access to.

http://www.alligate.com/help/AdvGreyOptions.htm - this seems to be the case 
specific greylisting you're talking about ...

http://www.alligate.com/help/blocking.htm - has some tarpitting options ...

Even so, I am still pretty confused about this.  Any clarification would be 
appreciated.

Thanks!
-
Jay Sudowski // Handy Networks LLC
Director of Technical Operations
Providing Shared, Reseller, Semi Managed and Fully Managed Windows 2003 Hosting 
Solutions
Tel: 877-70 HANDY x882 |  Fax: 888-300-2FAX
www.handynetworks.com

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Thursday, May 25, 2006 6:16 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x

Pieced below:

Jay Sudowski - Handy Networks LLC wrote: 
I am contemplating implementing Alligate with SmarterMail in some fashion, and 
would like to pick your mind on the following:

1) SmarterMail does a great, great job at handling a huge number of SMTP 
threads so dictionary attacks are not really an issue.  We have popped up to 
2000 SMTP threads without incident.  And since addresses being attacked do not 
exist, the messages get rejected with a 550 error, connection is closed and 
there's no real strain on the server (at least in terms of I/O) -- do we get 
any benefit from putting Alligate in front of SmarterMail for dictionary attack 
prevention?
  
Definitely.  Not all dictionary attacks hit completely bad addresses, but 
detecting and stopping an should be rare if you configure it carefully.



2) Does SMTP AUTH pass-through and recipient verification actually work, all 
the time?
  
I don't use this since it is not necessary to do so for pre-scanning purposes.  
This is really designed to take the load off of a hosted mail server by 
off-loading this traffic.  I can't say personally that it works perfectly, but 
I'm sure that it does.  Other pass-through verification stuff that it does 
definitely works, and works efficiently.


3) I see greylisting as the real area that could benefit us -- we would avoid a 
lot of the zombie spam by implementing greylisting, and that would save us tons 
of resources all around.  However, I understand that some zombies are now 
greylist aware and will retry.
  
Greylisting is huge, but it has fundamental problems that kept me from using it 
in vanilla form with ORF.  I know that Nick used it with ORF and backed off.  
My big issues are two-fold.  By arbitrarily applying greylisting to everyone, 
you will effectively block E-mail from sending software that doesn't spool (and 
zombie spamware isn't the only thing with that limitation).  It's things like 
blackboxes and other forms of notification programming that lacks such 
functionality and can fail greylisting, at least for the first message.  Some 
bulk mail (ecommerce and otherwise) will only send once, or may requeue and 
send through a different IP subsequently causing delivery failures or long 
delays.  Even more important to me is the fact that greylisting causing issues 
with delaying legitimate E-mail, and I refused to implement it in ORF solely 
for this reason.  It's not acceptable for the class of service that I want to 
offer.  I want E-mail to pass through our system in less than 5 seconds except 
in extreme circumstances.

I fed Brian a framework for doing what I call selective greylisting which 
resolves these issues.  Essentially it only greylists when conditions warrant, 
and the only drawback is greylisting poorly configured hosts or some that leak 
spam (but not all of either).  It works so well that there is no reason to have 
it do full greylisting.  I won't go into the details of how this is done here 
because to some extent I consider it to be intellectual property.  Also note 
that Brian isn't just a coding monkey, and he contributed a lot to the end 
product and filled in many gaps.  There are also advanced tarpitting techniques 
that cause almost as many failures as greylisting does because some spamware 
detects tarpitting and disconnect, but it is variable according to when and how 
long it occurs.  The last major piece is the MXRate functionality, and it 
blocks a lot even when limited to just 100% hits (which surely aren't perfect, 
but they are very near perfect).


While I don't feel like running DLAnalyzer, we typically trend about 85% of 
email is spam that gets

Re: [Declude.JunkMail] Experience with 4.x

[Matt]

Jay,

As far as how to configure Alligate, I think that it would be better to 
discuss this off-list or on the product's own list, but to give a brief 
answer to your questions, almost all functionality is exposed in the 
GUI, but there are some undocumented things additionally that may be of 
use and possibly some things that aren't yet enabled in the released 
product yet.  The interface is a bit confusing since it has it's own 
language and style of approaching things.  In short, you can achieve the 
virtually same results as I did at the gateway level with what is 
available now, but you have the ability to tweak the settings whatever 
way you wish according to your own standards.


Matt



Jay Sudowski - Handy Networks LLC wrote:


Hi Matt -

I am still somewhat confused because you are painting a rather broad picture 
about your success with Alligate, and not really getting down to the nitty 
gritty specifics.  I can appreciate that you may not want to disclose your 
exact configuration.  However, I can't even figure out if all of the things 
you're talking about are available in a stock edition of Alligate with the 
MXRate subscription, or if you've extended the functionality of Alligate in 
ways that are specific to your installation, using tools or features that I 
won't have access to.

http://www.alligate.com/help/AdvGreyOptions.htm - this seems to be the case 
specific greylisting you're talking about ...

http://www.alligate.com/help/blocking.htm - has some tarpitting options ...

Even so, I am still pretty confused about this.  Any clarification would be 
appreciated.

Thanks!
-
Jay Sudowski // Handy Networks LLC
Director of Technical Operations
Providing Shared, Reseller, Semi Managed and Fully Managed Windows 2003 Hosting 
Solutions
Tel: 877-70 HANDY x882 |  Fax: 888-300-2FAX
www.handynetworks.com

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Thursday, May 25, 2006 6:16 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x

Pieced below:

Jay Sudowski - Handy Networks LLC wrote: 
I am contemplating implementing Alligate with SmarterMail in some fashion, and would like to pick your mind on the following:


1) SmarterMail does a great, great job at handling a huge number of SMTP 
threads so dictionary attacks are not really an issue.  We have popped up to 
2000 SMTP threads without incident.  And since addresses being attacked do not 
exist, the messages get rejected with a 550 error, connection is closed and 
there's no real strain on the server (at least in terms of I/O) -- do we get 
any benefit from putting Alligate in front of SmarterMail for dictionary attack 
prevention?
 
Definitely.  Not all dictionary attacks hit completely bad addresses, but detecting and stopping an should be rare if you configure it carefully.




2) Does SMTP AUTH pass-through and recipient verification actually work, all 
the time?
 
I don't use this since it is not necessary to do so for pre-scanning purposes.  This is really designed to take the load off of a hosted mail server by off-loading this traffic.  I can't say personally that it works perfectly, but I'm sure that it does.  Other pass-through verification stuff that it does definitely works, and works efficiently.



3) I see greylisting as the real area that could benefit us -- we would avoid a 
lot of the zombie spam by implementing greylisting, and that would save us tons 
of resources all around.  However, I understand that some zombies are now 
greylist aware and will retry.
 
Greylisting is huge, but it has fundamental problems that kept me from using it in vanilla form with ORF.  I know that Nick used it with ORF and backed off.  My big issues are two-fold.  By arbitrarily applying greylisting to everyone, you will effectively block E-mail from sending software that doesn't spool (and zombie spamware isn't the only thing with that limitation).  It's things like blackboxes and other forms of notification programming that lacks such functionality and can fail greylisting, at least for the first message.  Some bulk mail (ecommerce and otherwise) will only send once, or may requeue and send through a different IP subsequently causing delivery failures or long delays.  Even more important to me is the fact that greylisting causing issues with delaying legitimate E-mail, and I refused to implement it in ORF solely for this reason.  It's not acceptable for the class of service that I want to offer.  I want E-mail to pass through our system in less than 5 seconds except in extreme circumstances.


I fed Brian a framework for doing what I call selective greylisting which 
resolves these issues.  Essentially it only greylists when conditions warrant, and the 
only drawback is greylisting poorly configured hosts or some that leak spam (but not all 
of either).  It works so well that there is no reason to have it do full greylisting.  I 
won't go

Re: [Declude.JunkMail] Experience with 4.x

[Matt]

Pieced below:

Jay Sudowski - Handy Networks LLC wrote:

  I am contemplating implementing Alligate with SmarterMail in some fashion, and would like to pick your mind on the following:

1) SmarterMail does a great, great job at handling a huge number of SMTP threads so dictionary attacks are not really an issue.  We have popped up to 2000 SMTP threads without incident.  And since addresses being attacked do not exist, the messages get rejected with a 550 error, connection is closed and there's no real strain on the server (at least in terms of I/O) -- do we get any benefit from putting Alligate in front of SmarterMail for dictionary attack prevention?
  

Definitely. Not all dictionary attacks hit completely bad addresses,
but detecting and stopping an attacker regardless of the good or bad
addresses that they may send is wise. Tarpitting takes the bites out
of the attacks by slowing them down between recipients, and you can
tell Alligate to drop the connection after x number of bad addresses,
or even have more tolerance for a higher number of bad addresses if a
good address is found. Lastly, SmarterMail and IMail were designed to
be mail servers and not pre-scanning gateways. Gateways should be
lean, and by also being smart, they can eliminate the vast majority of
spam long before your real mail server comes into play. Nothing is
blackholed either, so any FP should be noticed by the sender if they
should occur, and they should be rare if you configure it carefully.



  2) Does SMTP AUTH pass-through and recipient verification actually work, all the time?
  

I don't use this since it is not necessary to do so for pre-scanning
purposes. This is really designed to take the load off of a hosted
mail server by off-loading this traffic. I can't say personally that
it works perfectly, but I'm sure that it does. Other pass-through
verification stuff that it does definitely works, and works efficiently.


  3) I see greylisting as the real area that could benefit us -- we would avoid a lot of the zombie spam by implementing greylisting, and that would save us tons of resources all around.  However, I understand that some zombies are now greylist aware and will retry.
  

Greylisting is huge, but it has fundamental problems that kept me from
using it in vanilla form with ORF. I know that Nick used it with ORF
and backed off. My big issues are two-fold. By arbitrarily applying
greylisting to everyone, you will effectively block E-mail from sending
software that doesn't spool (and zombie spamware isn't the only thing
with that limitation). It's things like blackboxes and other forms of
notification programming that lacks such functionality and can fail
greylisting, at least for the first message. Some bulk mail (ecommerce
and otherwise) will only send once, or may requeue and send through a
different IP subsequently causing delivery failures or long delays.
Even more important to me is the fact that greylisting causing issues
with delaying legitimate E-mail, and I refused to implement it in ORF
solely for this reason. It's not acceptable for the class of service
that I want to offer. I want E-mail to pass through our system in less
than 5 seconds except in extreme circumstances.

I fed Brian a framework for doing what I call "selective greylisting"
which resolves these issues. Essentially it only greylists when
conditions warrant, and the only drawback is greylisting poorly
configured hosts or some that leak spam (but not all of either). It
works so well that there is no reason to have it do full greylisting.
I won't go into the details of how this is done here because to some
extent I consider it to be intellectual property. Also note that Brian
isn't just a coding monkey, and he contributed a lot to the end product
and filled in many gaps. There are also advanced tarpitting techniques
that cause almost as many failures as greylisting does because some
spamware detects tarpitting and disconnect, but it is variable
according to when and how long it occurs. The last major piece is the
MXRate functionality, and it blocks a lot even when limited to just
100% hits (which surely aren't perfect, but they are very near perfect).


  While I don't feel like running DLAnalyzer, we typically trend about 85% of email is spam that gets deleted before it's delivered, which means we probably had around 40,000 actual deliveries.  If we can eliminate 50% of the spam using MXRate and greylisting, that is a huge burden off of declude and the server in general.
  

I block 99.9% of all spam and our false positive rate is less than 1 in
10,000, with most of that being some form of advertising sent from
hosts that also send for dirty lists, and most don't care about such
things. Most of our issues with personal E-mail are the result of
foreign traffic, especially with China. Alligate certainly helps since
it eliminates almost all zombies and viruses, but it also stops some
static spammers as well, but Declude is still of course 

RE: [Declude.JunkMail] Experience with 4.x

[Jay Sudowski - Handy Networks LLC]

In light of this reference to WINSOCKCLEANUP being an iMail only issue,
do I even need to enable this on our SmarterMail servers?

-Jay


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Tuesday, May 23, 2006 6:30 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Experience with 4.x

The only way that we have detected this was with Imail and mail being
stuck
in the spool. ...network stack causing loss of functionality for basic
network operations is generic but if I remember correctly when this
happened the admin was not even able to ping an outside server, which
would
suggest to me other IP communications fail as well.

David B
www.declude.com

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Tuesday, May 23, 2006 6:26 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Experience with 4.x

Thanks, David.

I've read all of the support forum emails that have been posted on the
WINSOCKCLEANUP and even reviewed them again via the mail archive website
before my own implementation.

What I haven't been able to tell is whether I can diagnose this issue if
I
have it before it becomes an outage.

Can it only be detected by it's side-effect of filling up the proc
folder?

If I have a mechanism on my IMail server that does DNS queries... Will
they
fail when the WinSock needs being cleaned up?  I think not, as at least
one
posting specifically mentioned that IMail IP4R tests worked when
DecludeProc
IP4R tests timed out.

Your official description for WINSOCKCLEANUP ON says ...network stack
causing loss of functionality for basic network operations; is this
deliberately generic so that you don't have to explain what a DNS test
is,
or does it imply that other IP communications will also fail, e.g.
SMTP and (critically for me) RDP?

Andrew.



 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
 Sent: Tuesday, May 23, 2006 3:12 PM
 To: Declude.JunkMail@declude.com
 Subject: RE: [Declude.JunkMail] Experience with 4.x
 
 Andrew,
 
 In certain cases we found that Imail would stop resolving, it seemed 
 that stop/starting the decludeproc or smtp service fixed the problem 
 by resetting the winsock. So we added WINSOCKCLEANUP to deal with this

 specific Imail issue.
 
 David B
 www.declude.com
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, 
 Andrew
 Sent: Tuesday, May 23, 2006 3:45 PM
 To: Declude.JunkMail@declude.com
 Subject: RE: [Declude.JunkMail] Experience with 4.x
 
 David, is there a proactive way to detect if an installation would 
 benefit from the WINSOCKCLEANUP ON directive in declude.cfg?
 
 I would rather be able to detect this while it's happening than to 
 react when I find that spam is leaking or that the proc folder is 
 continually growing.
 
 Andrew.
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of
 David Barker
  Sent: Tuesday, May 23, 2006 7:48 AM
  To: Declude.JunkMail@declude.com
  Subject: RE: [Declude.JunkMail] Experience with 4.x
  
  Mike,
  
  1. The  WINSOCKCLEANUPON activates when the \Proc reaches 0
  2. If Decludeproc stops unexpectedly files it is busy with
 are move to
  the \review
  3. You can use AUTOREVIEW   ON to have these move back to the \proc
  4. Be aware though if there is a real problem message you may find 
  that the message gets looped 5. Make sure you have the
 latest version
  of decludeproc ... There should be a release later today or
 tommorow.
  
  David B
  www.declude.com
  
  
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Mike N
  Sent: Tuesday, May 23, 2006 10:23 AM
  To: Declude.JunkMail@declude.com
  Subject: Re: [Declude.JunkMail] Experience with 4.x
  
  I found that WINSOCKCLEANUP ON would force a reset if the \proc 
  directory
  never hits 0.   In this case, files build up in the \review 
  subfolder which
  require manual processing.
  
  - Original Message -
  From: David Barker [EMAIL PROTECTED]
  To: Declude.JunkMail@declude.com
  Sent: Tuesday, May 23, 2006 7:34 AM
  Subject: RE: [Declude.JunkMail] Experience with 4.x
  
  
   The purpose of WINSOCKCLEANUPON is to reset the 
  winsock, what
   happens when using this setting is that when the \proc
  directory hit 0
   decludeproc will finish processing all the messages in the \work 
   before checking the \proc again.
  
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To 
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
  unsubscribe Declude.JunkMail.  The archives can be found at 
  http://www.mail-archive.com.
  
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To 
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
  unsubscribe Declude.JunkMail

RE: [Declude.JunkMail] Experience with 4.x

[Jay Sudowski - Handy Networks LLC]

30 threads seems awfully low.  We set ours to 80 on a dual xeon box with a 
separate drive for spool/logging and we move right along without any issues.

Thanks!
-
Jay Sudowski // Handy Networks LLC
Director of Technical Operations
Providing Shared, Reseller, Semi Managed and Fully Managed Windows 2003 Hosting 
Solutions
Tel: 877-70 HANDY x882 |  Fax: 888-300-2FAX
www.handynetworks.com

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Tuesday, May 23, 2006 3:25 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x

Andrew,

Thanks for your notes and their history.

I'm using the following settings right now:
THREADS        30
WAITFORMAIL    500
WAITFORTHREADS        200
WAITBETWEENTHREADS    100
WINSOCKCLEANUP        OFF
INVITEFIX    ON
AUTOREVIEW        ON
There are a few reasons for trying these values.
THREADS 30 - I'm pretty confident that dual 3.2 Ghz Xeons and RAID can only 
handle 30 threads with average messages.  In reality, one single message can 
spike the system to 100%, but these are uncommon.  I figure that if I open this 
up too wide and I am dealing with a backup or something, launching more threads 
when at 100% CPU utilization will actually slow the system down.  This was the 
same with 2.x and before.  There is added overhead to managing threads and you 
don't want that to happen on top of 100% CPU utilization.  I am going to back 
up my server later tonight to see if I can't find what the magic number is 
since I don't want to be below that magic number, and it would probably be best 
to be a little above it.

WAITFORMAIL 500 - On my server, this never kicks in, but if it did, it wouldn't 
make sense to delay for too long because I could build up messages.  A half 
second seems good.

WAITFORTHREADS 200 - This apparently kicks in only when I reach my thread 
limit; sort of like a throttle.  I don't want it to be too long because this 
should only happen when I am hammered, but it is wise not to keep hammering 
when you are at 100%.  Sort of a mixed bag choice here.

WAITBETWEENTHREADS 100 - I see this setting as being the biggest issue with 
sizing a server.  Setting it at 100 ms means that I can only handle 10 messages 
per second, and this establishes an upper limit for what the server can do.   I 
currently average about 5 messages per second coming from my gateways at peak 
hours, so I figured that to be safe, I should double that value.

INVITEFIX ON - I have it on because it comes on by default and I don't know any 
better.  I know nothing about the cause for needing this outside of brief 
comments.  It seems strange that my Declude setup could ruin an invitation 
unless I was using footers.  If this is only triggered by footer use, I would 
like to know so that I could turn it off.  I would imagine that this causes 
extra load to do the check.

AUTOREVIEW ON - I have this on for the same reason that Andrew pointed out.  
When I restart Decludeproc, messages land in my review folder, and I don't wish 
to keep manually fishing things out.  If there is an issue with looping, it 
would be wise for Declude to make this only trigger say every 15 minutes 
instead of more regularly.
Feel free to add to this if you want.

Matt











Colbeck, Andrew wrote: 
I'd second that... on both the observed behaviour and the request for 
documentation.
 
I'm attaching my highly commented declude.cfg as a reasonable sample.
 
Andrew 8)
 
 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Tuesday, May 23, 2006 10:36 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x
David,

That did the trick.  I can't even see any messages in my proc folder any more.  
I might suggest adding your explanation to the comments in the file just in 
case others feel the need to turn this on like I did.  I recalled the issues 
from the list and I turned it on because I didn't want the possibility of DNS 
crapping out and the leakage that this would cause.

Here's a screen cap of what my processor graph looks like now:


Thanks,

Matt



David Barker wrote: 
The purpose of WINSOCKCLEANUPON is to reset the winsock, what
happens when using this setting is that when the \proc directory hit 0
decludeproc will finish processing all the messages in the \work before
checking the \proc again. As WINSOCKCLEANUP is to be used only by those who
experience DNS issues I would suggest running your tests again with
WINSOCKCLEANUP commented out and see how the behavior differs. Also having
the WAITFORMAIL to low can cause the CPU to process very high as it is
constantly checking the \proc I would suggest a minimum of 500-1000

David B
www.declude.com

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Monday, May 22, 2006 8:12 PM
To: Declude.JunkMail@declude.com
Subject: Re

Re: [Declude.JunkMail] Experience with 4.x

[Matt]

Jay,

It's not about moving along, it's about limiting the CPU to only 100%, 
or at least not piling it on when it gets there.  I could be wrong in 
assuming that 1 thread = 1 message (hopefully I will be corrected if 
so), but 30 average messages being processed at once will most 
definitely peg my processors, and adding more threads when you are at 
100% will actually slow down performance.


Another note, not all systems are configured equally.  A vanilla install 
of Declude would likely handle 4 times the number of messages that mine 
does since I run 4 external filters, two virus scanners, and something 
like 100 Declude filters (though they mostly get skipped with 
SKIPIFWEIGHT and END statements as they are targeted).  Running a single 
virus scanner and RBL's is just a fraction of the load.  With my 
pre-scanning gateways blocking more than 90% of all traffic (about half 
of that is dictionary attacks and most of the rest is done with 
'selective greylisting'), I can scale one server to handle over 20,000 
addresses, possibly as many as 40,000 (doesn't host the accounts 
though), so despite the heavy config, it is optimized.


But back to the real topic...I'm just guessing that 30 messages/threads 
is the limit for my box, but I'm sure that it isn't as high as 80, 
though setting it at 80 would be of no consequence outside of a 
prolonged heavy load caused by something like a backup of my spool.  It 
would be a bigger mistake to set it too low.


Matt



Jay Sudowski - Handy Networks LLC wrote:


30 threads seems awfully low.  We set ours to 80 on a dual xeon box with a 
separate drive for spool/logging and we move right along without any issues.

Thanks!
-
Jay Sudowski // Handy Networks LLC
Director of Technical Operations
Providing Shared, Reseller, Semi Managed and Fully Managed Windows 2003 Hosting 
Solutions
Tel: 877-70 HANDY x882 |  Fax: 888-300-2FAX
www.handynetworks.com

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Tuesday, May 23, 2006 3:25 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x

Andrew,

Thanks for your notes and their history.

I'm using the following settings right now:
THREADS30
WAITFORMAIL500
WAITFORTHREADS200
WAITBETWEENTHREADS100
WINSOCKCLEANUPOFF
INVITEFIXON
AUTOREVIEWON
There are a few reasons for trying these values.
THREADS 30 - I'm pretty confident that dual 3.2 Ghz Xeons and RAID can only 
handle 30 threads with average messages.  In reality, one single message can 
spike the system to 100%, but these are uncommon.  I figure that if I open this 
up too wide and I am dealing with a backup or something, launching more threads 
when at 100% CPU utilization will actually slow the system down.  This was the 
same with 2.x and before.  There is added overhead to managing threads and you 
don't want that to happen on top of 100% CPU utilization.  I am going to back 
up my server later tonight to see if I can't find what the magic number is 
since I don't want to be below that magic number, and it would probably be best 
to be a little above it.

WAITFORMAIL 500 - On my server, this never kicks in, but if it did, it wouldn't 
make sense to delay for too long because I could build up messages.  A half 
second seems good.

WAITFORTHREADS 200 - This apparently kicks in only when I reach my thread 
limit; sort of like a throttle.  I don't want it to be too long because this 
should only happen when I am hammered, but it is wise not to keep hammering 
when you are at 100%.  Sort of a mixed bag choice here.

WAITBETWEENTHREADS 100 - I see this setting as being the biggest issue with 
sizing a server.  Setting it at 100 ms means that I can only handle 10 messages 
per second, and this establishes an upper limit for what the server can do.   I 
currently average about 5 messages per second coming from my gateways at peak 
hours, so I figured that to be safe, I should double that value.

INVITEFIX ON - I have it on because it comes on by default and I don't know any 
better.  I know nothing about the cause for needing this outside of brief 
comments.  It seems strange that my Declude setup could ruin an invitation 
unless I was using footers.  If this is only triggered by footer use, I would 
like to know so that I could turn it off.  I would imagine that this causes 
extra load to do the check.

AUTOREVIEW ON - I have this on for the same reason that Andrew pointed out.  
When I restart Decludeproc, messages land in my review folder, and I don't wish 
to keep manually fishing things out.  If there is an issue with looping, it 
would be wise for Declude to make this only trigger say every 15 minutes 
instead of more regularly.
Feel free to add to this if you want.

Matt











Colbeck, Andrew wrote: 
I'd second that... on both the observed behaviour and the request for documentation.


I'm attaching my highly commented

RE: [Declude.JunkMail] Experience with 4.x

[David Barker]

We have not seen this issue with SmarterMail.

David B
www.declude.com 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jay Sudowski -
Handy Networks LLC
Sent: Wednesday, May 24, 2006 4:00 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Experience with 4.x

In light of this reference to WINSOCKCLEANUP being an iMail only issue, do I
even need to enable this on our SmarterMail servers?

-Jay


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Tuesday, May 23, 2006 6:30 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Experience with 4.x

The only way that we have detected this was with Imail and mail being stuck
in the spool. ...network stack causing loss of functionality for basic
network operations is generic but if I remember correctly when this
happened the admin was not even able to ping an outside server, which would
suggest to me other IP communications fail as well.

David B
www.declude.com

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Tuesday, May 23, 2006 6:26 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Experience with 4.x

Thanks, David.

I've read all of the support forum emails that have been posted on the
WINSOCKCLEANUP and even reviewed them again via the mail archive website
before my own implementation.

What I haven't been able to tell is whether I can diagnose this issue if I
have it before it becomes an outage.

Can it only be detected by it's side-effect of filling up the proc folder?

If I have a mechanism on my IMail server that does DNS queries... Will they
fail when the WinSock needs being cleaned up?  I think not, as at least one
posting specifically mentioned that IMail IP4R tests worked when DecludeProc
IP4R tests timed out.

Your official description for WINSOCKCLEANUP ON says ...network stack
causing loss of functionality for basic network operations; is this
deliberately generic so that you don't have to explain what a DNS test is,
or does it imply that other IP communications will also fail, e.g.
SMTP and (critically for me) RDP?

Andrew.



 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
 Sent: Tuesday, May 23, 2006 3:12 PM
 To: Declude.JunkMail@declude.com
 Subject: RE: [Declude.JunkMail] Experience with 4.x
 
 Andrew,
 
 In certain cases we found that Imail would stop resolving, it seemed 
 that stop/starting the decludeproc or smtp service fixed the problem 
 by resetting the winsock. So we added WINSOCKCLEANUP to deal with this

 specific Imail issue.
 
 David B
 www.declude.com
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, 
 Andrew
 Sent: Tuesday, May 23, 2006 3:45 PM
 To: Declude.JunkMail@declude.com
 Subject: RE: [Declude.JunkMail] Experience with 4.x
 
 David, is there a proactive way to detect if an installation would 
 benefit from the WINSOCKCLEANUP ON directive in declude.cfg?
 
 I would rather be able to detect this while it's happening than to 
 react when I find that spam is leaking or that the proc folder is 
 continually growing.
 
 Andrew.
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of
 David Barker
  Sent: Tuesday, May 23, 2006 7:48 AM
  To: Declude.JunkMail@declude.com
  Subject: RE: [Declude.JunkMail] Experience with 4.x
  
  Mike,
  
  1. The  WINSOCKCLEANUPON activates when the \Proc reaches 0
  2. If Decludeproc stops unexpectedly files it is busy with
 are move to
  the \review
  3. You can use AUTOREVIEW   ON to have these move back to the \proc
  4. Be aware though if there is a real problem message you may find 
  that the message gets looped 5. Make sure you have the
 latest version
  of decludeproc ... There should be a release later today or
 tommorow.
  
  David B
  www.declude.com
  
  
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Mike N
  Sent: Tuesday, May 23, 2006 10:23 AM
  To: Declude.JunkMail@declude.com
  Subject: Re: [Declude.JunkMail] Experience with 4.x
  
  I found that WINSOCKCLEANUP ON would force a reset if the \proc 
  directory
  never hits 0.   In this case, files build up in the \review 
  subfolder which
  require manual processing.
  
  - Original Message -
  From: David Barker [EMAIL PROTECTED]
  To: Declude.JunkMail@declude.com
  Sent: Tuesday, May 23, 2006 7:34 AM
  Subject: RE: [Declude.JunkMail] Experience with 4.x
  
  
   The purpose of WINSOCKCLEANUPON is to reset the 
  winsock, what
   happens when using this setting is that when the \proc
  directory hit 0
   decludeproc will finish processing all the messages in the \work 
   before checking the \proc again.
  
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To 
  unsubscribe

Re: [Declude.JunkMail] Experience with 4.x

[Nick Hayer]

Hi Matt,

So you see any substantive performance improvement over 2x?

-Nick

Matt wrote:


Jay,

It's not about moving along, it's about limiting the CPU to only 100%, 
or at least not piling it on when it gets there.  I could be wrong in 
assuming that 1 thread = 1 message (hopefully I will be corrected if 
so), but 30 average messages being processed at once will most 
definitely peg my processors, and adding more threads when you are at 
100% will actually slow down performance.


Another note, not all systems are configured equally.  A vanilla 
install of Declude would likely handle 4 times the number of messages 
that mine does since I run 4 external filters, two virus scanners, and 
something like 100 Declude filters (though they mostly get skipped 
with SKIPIFWEIGHT and END statements as they are targeted).  Running a 
single virus scanner and RBL's is just a fraction of the load.  With 
my pre-scanning gateways blocking more than 90% of all traffic (about 
half of that is dictionary attacks and most of the rest is done with 
'selective greylisting'), I can scale one server to handle over 20,000 
addresses, possibly as many as 40,000 (doesn't host the accounts 
though), so despite the heavy config, it is optimized.


But back to the real topic...I'm just guessing that 30 
messages/threads is the limit for my box, but I'm sure that it isn't 
as high as 80, though setting it at 80 would be of no consequence 
outside of a prolonged heavy load caused by something like a backup of 
my spool.  It would be a bigger mistake to set it too low.


Matt



Jay Sudowski - Handy Networks LLC wrote:

30 threads seems awfully low.  We set ours to 80 on a dual xeon box 
with a separate drive for spool/logging and we move right along 
without any issues.


Thanks!
-
Jay Sudowski // Handy Networks LLC
Director of Technical Operations
Providing Shared, Reseller, Semi Managed and Fully Managed Windows 
2003 Hosting Solutions

Tel: 877-70 HANDY x882 |  Fax: 888-300-2FAX
www.handynetworks.com

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Matt

Sent: Tuesday, May 23, 2006 3:25 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x

Andrew,

Thanks for your notes and their history.

I'm using the following settings right now:
THREADS30
WAITFORMAIL500
WAITFORTHREADS200
WAITBETWEENTHREADS100
WINSOCKCLEANUPOFF
INVITEFIXON
AUTOREVIEWON
There are a few reasons for trying these values.
THREADS 30 - I'm pretty confident that dual 3.2 Ghz Xeons and RAID 
can only handle 30 threads with average messages.  In reality, one 
single message can spike the system to 100%, but these are uncommon.  
I figure that if I open this up too wide and I am dealing with a 
backup or something, launching more threads when at 100% CPU 
utilization will actually slow the system down.  This was the same 
with 2.x and before.  There is added overhead to managing threads and 
you don't want that to happen on top of 100% CPU utilization.  I am 
going to back up my server later tonight to see if I can't find what 
the magic number is since I don't want to be below that magic number, 
and it would probably be best to be a little above it.


WAITFORMAIL 500 - On my server, this never kicks in, but if it did, 
it wouldn't make sense to delay for too long because I could build up 
messages.  A half second seems good.


WAITFORTHREADS 200 - This apparently kicks in only when I reach my 
thread limit; sort of like a throttle.  I don't want it to be too 
long because this should only happen when I am hammered, but it is 
wise not to keep hammering when you are at 100%.  Sort of a mixed bag 
choice here.


WAITBETWEENTHREADS 100 - I see this setting as being the biggest 
issue with sizing a server.  Setting it at 100 ms means that I can 
only handle 10 messages per second, and this establishes an upper 
limit for what the server can do.   I currently average about 5 
messages per second coming from my gateways at peak hours, so I 
figured that to be safe, I should double that value.


INVITEFIX ON - I have it on because it comes on by default and I 
don't know any better.  I know nothing about the cause for needing 
this outside of brief comments.  It seems strange that my Declude 
setup could ruin an invitation unless I was using footers.  If this 
is only triggered by footer use, I would like to know so that I could 
turn it off.  I would imagine that this causes extra load to do the 
check.


AUTOREVIEW ON - I have this on for the same reason that Andrew 
pointed out.  When I restart Decludeproc, messages land in my review 
folder, and I don't wish to keep manually fishing things out.  If 
there is an issue with looping, it would be wise for Declude to make 
this only trigger say every 15 minutes instead of more regularly.

Feel free to add to this if you want.

Matt











Colbeck, Andrew wrote: I'd second

Re: [Declude.JunkMail] Experience with 4.x

[Matt]

I indicated earlier that it looked like a relative 10% improvement 
(about the difference between 35% and 32% hourly average CPU 
utilization).  I would think that this comes primarily from not needing 
to start the old declude executable every time, and the improvement 
might be more substantial on a system with a overtaxed disk.  I don't 
think the code is any more efficient as far as actual scanning goes.  
Besides that, it's typically the virus scanners and external tests that 
eat up most of the CPU on a Declude system and not Declude itself, and 
those things haven't changed.


I'm guessing that it might perform much better when redlined though if 
you tweak it right.  I believed that old Declude when getting rammed 
with overflow seemed to not perform linearly with normal performance 
with free CPU, but instead dropped, probably due to having a lot of CPU 
wait time overhead (there's probably a more accurate term for this).  
The new Declude can be more effectively controlled so as to not bog down 
the system as much.  So performance here might be 2x or more when 
redlined under optimal conditions.  This effect would be maximized if 
Declude would tie launching threads to a CPU monitor instead of a fixed 
number with no real clue as to what is perfect under any particular 
situation.


Matt




Nick Hayer wrote:



Hi Matt,

So you see any substantive performance improvement over 2x?

-Nick

Matt wrote:


Jay,

It's not about moving along, it's about limiting the CPU to only 
100%, or at least not piling it on when it gets there.  I could be 
wrong in assuming that 1 thread = 1 message (hopefully I will be 
corrected if so), but 30 average messages being processed at once 
will most definitely peg my processors, and adding more threads when 
you are at 100% will actually slow down performance.


Another note, not all systems are configured equally.  A vanilla 
install of Declude would likely handle 4 times the number of messages 
that mine does since I run 4 external filters, two virus scanners, 
and something like 100 Declude filters (though they mostly get 
skipped with SKIPIFWEIGHT and END statements as they are targeted).  
Running a single virus scanner and RBL's is just a fraction of the 
load.  With my pre-scanning gateways blocking more than 90% of all 
traffic (about half of that is dictionary attacks and most of the 
rest is done with 'selective greylisting'), I can scale one server to 
handle over 20,000 addresses, possibly as many as 40,000 (doesn't 
host the accounts though), so despite the heavy config, it is optimized.


But back to the real topic...I'm just guessing that 30 
messages/threads is the limit for my box, but I'm sure that it isn't 
as high as 80, though setting it at 80 would be of no consequence 
outside of a prolonged heavy load caused by something like a backup 
of my spool.  It would be a bigger mistake to set it too low.


Matt



Jay Sudowski - Handy Networks LLC wrote:

30 threads seems awfully low.  We set ours to 80 on a dual xeon box 
with a separate drive for spool/logging and we move right along 
without any issues.


Thanks!
-
Jay Sudowski // Handy Networks LLC
Director of Technical Operations
Providing Shared, Reseller, Semi Managed and Fully Managed Windows 
2003 Hosting Solutions

Tel: 877-70 HANDY x882 |  Fax: 888-300-2FAX
www.handynetworks.com

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Matt

Sent: Tuesday, May 23, 2006 3:25 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x

Andrew,

Thanks for your notes and their history.

I'm using the following settings right now:
THREADS30
WAITFORMAIL500
WAITFORTHREADS200
WAITBETWEENTHREADS100
WINSOCKCLEANUPOFF
INVITEFIXON
AUTOREVIEWON
There are a few reasons for trying these values.
THREADS 30 - I'm pretty confident that dual 3.2 Ghz Xeons and RAID 
can only handle 30 threads with average messages.  In reality, one 
single message can spike the system to 100%, but these are 
uncommon.  I figure that if I open this up too wide and I am dealing 
with a backup or something, launching more threads when at 100% CPU 
utilization will actually slow the system down.  This was the same 
with 2.x and before.  There is added overhead to managing threads 
and you don't want that to happen on top of 100% CPU utilization.  I 
am going to back up my server later tonight to see if I can't find 
what the magic number is since I don't want to be below that magic 
number, and it would probably be best to be a little above it.


WAITFORMAIL 500 - On my server, this never kicks in, but if it did, 
it wouldn't make sense to delay for too long because I could build 
up messages.  A half second seems good.


WAITFORTHREADS 200 - This apparently kicks in only when I reach my 
thread limit; sort of like a throttle.  I don't want it to be too 
long because this should only happen when I am

RE: [Declude.JunkMail] Experience with 4.x

[Erik]

Matt, is your Delcude gatewayed?  Or is it running on the same server as
Imail?

-Erik


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Wednesday, May 24, 2006 5:58 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x


I indicated earlier that it looked like a relative 10% improvement 
(about the difference between 35% and 32% hourly average CPU 
utilization).  I would think that this comes primarily from not needing 
to start the old declude executable every time, and the improvement 
might be more substantial on a system with a overtaxed disk.  I don't 
think the code is any more efficient as far as actual scanning goes.  
Besides that, it's typically the virus scanners and external tests that 
eat up most of the CPU on a Declude system and not Declude itself, and 
those things haven't changed.

I'm guessing that it might perform much better when redlined though if 
you tweak it right.  I believed that old Declude when getting rammed 
with overflow seemed to not perform linearly with normal performance 
with free CPU, but instead dropped, probably due to having a lot of CPU 
wait time overhead (there's probably a more accurate term for this).  
The new Declude can be more effectively controlled so as to not bog down 
the system as much.  So performance here might be 2x or more when 
redlined under optimal conditions.  This effect would be maximized if 
Declude would tie launching threads to a CPU monitor instead of a fixed 
number with no real clue as to what is perfect under any particular 
situation.

Matt




Nick Hayer wrote:


 Hi Matt,

 So you see any substantive performance improvement over 2x?

 -Nick

 Matt wrote:

 Jay,

 It's not about moving along, it's about limiting the CPU to only
 100%, or at least not piling it on when it gets there.  I could be 
 wrong in assuming that 1 thread = 1 message (hopefully I will be 
 corrected if so), but 30 average messages being processed at once 
 will most definitely peg my processors, and adding more threads when 
 you are at 100% will actually slow down performance.

 Another note, not all systems are configured equally.  A vanilla
 install of Declude would likely handle 4 times the number of messages 
 that mine does since I run 4 external filters, two virus scanners, 
 and something like 100 Declude filters (though they mostly get 
 skipped with SKIPIFWEIGHT and END statements as they are targeted).  
 Running a single virus scanner and RBL's is just a fraction of the 
 load.  With my pre-scanning gateways blocking more than 90% of all 
 traffic (about half of that is dictionary attacks and most of the 
 rest is done with 'selective greylisting'), I can scale one server to 
 handle over 20,000 addresses, possibly as many as 40,000 (doesn't 
 host the accounts though), so despite the heavy config, it is optimized.

 But back to the real topic...I'm just guessing that 30
 messages/threads is the limit for my box, but I'm sure that it isn't 
 as high as 80, though setting it at 80 would be of no consequence 
 outside of a prolonged heavy load caused by something like a backup 
 of my spool.  It would be a bigger mistake to set it too low.

 Matt



 Jay Sudowski - Handy Networks LLC wrote:

 30 threads seems awfully low.  We set ours to 80 on a dual xeon box
 with a separate drive for spool/logging and we move right along 
 without any issues.

 Thanks!
 -
 Jay Sudowski // Handy Networks LLC
 Director of Technical Operations
 Providing Shared, Reseller, Semi Managed and Fully Managed Windows
 2003 Hosting Solutions
 Tel: 877-70 HANDY x882 |  Fax: 888-300-2FAX
 www.handynetworks.com
 
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Matt
 Sent: Tuesday, May 23, 2006 3:25 PM
 To: Declude.JunkMail@declude.com
 Subject: Re: [Declude.JunkMail] Experience with 4.x

 Andrew,

 Thanks for your notes and their history.

 I'm using the following settings right now:
 THREADS30
 WAITFORMAIL500
 WAITFORTHREADS200
 WAITBETWEENTHREADS100
 WINSOCKCLEANUPOFF
 INVITEFIXON
 AUTOREVIEWON
 There are a few reasons for trying these values.
 THREADS 30 - I'm pretty confident that dual 3.2 Ghz Xeons and RAID
 can only handle 30 threads with average messages.  In reality, one 
 single message can spike the system to 100%, but these are 
 uncommon.  I figure that if I open this up too wide and I am dealing 
 with a backup or something, launching more threads when at 100% CPU 
 utilization will actually slow the system down.  This was the same 
 with 2.x and before.  There is added overhead to managing threads 
 and you don't want that to happen on top of 100% CPU utilization.  I 
 am going to back up my server later tonight to see if I can't find 
 what the magic number is since I don't want to be below that magic 
 number, and it would probably be best to be a little above

Re: [Declude.JunkMail] Experience with 4.x

[Matt]

Erik,

I have the primary Alligate Gateway installed on the same box as
IMail/Declude, but on different ports. My IMail doesn't actually host
any real users, it's just a container for Declude and storage for the
lowest scoring spam. The idea is to dump as much illegitimate stuff as
possible during the SMTP envelope through the use of the 'pre-scanning'
gateway, and then do the heavy lifting with Declude. The one-box
solution saves money, and the gateway also saves money since it reduces
the burden of heavy lifting by reducing the volume.

Matt



Erik wrote:

  Matt, is your Delcude gatewayed?  Or is it running on the same server as
Imail?

-Erik


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Wednesday, May 24, 2006 5:58 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x


I indicated earlier that it looked like a relative 10% improvement 
(about the difference between 35% and 32% hourly average CPU 
utilization).  I would think that this comes primarily from not needing 
to start the old declude executable every time, and the improvement 
might be more substantial on a system with a overtaxed disk.  I don't 
think the code is any more efficient as far as actual scanning goes.  
Besides that, it's typically the virus scanners and external tests that 
eat up most of the CPU on a Declude system and not Declude itself, and 
those things haven't changed.

I'm guessing that it might perform much better when redlined though if 
you tweak it right.  I believed that old Declude when getting rammed 
with overflow seemed to not perform linearly with normal performance 
with free CPU, but instead dropped, probably due to having a lot of CPU 
wait time overhead (there's probably a more accurate term for this).  
The new Declude can be more effectively controlled so as to not bog down 
the system as much.  So performance here might be 2x or more when 
redlined under optimal conditions.  This effect would be maximized if 
Declude would tie launching threads to a CPU monitor instead of a fixed 
number with no real clue as to what is perfect under any particular 
situation.

Matt




Nick Hayer wrote:

  
  
Hi Matt,

So you see any substantive performance improvement over 2x?

-Nick

Matt wrote:



  Jay,

It's not about moving along, it's about limiting the CPU to only
100%, or at least not piling it on when it gets there.  I could be 
wrong in assuming that 1 thread = 1 message (hopefully I will be 
corrected if so), but 30 average messages being processed at once 
will most definitely peg my processors, and adding more threads when 
you are at 100% will actually slow down performance.

Another note, not all systems are configured equally.  A vanilla
install of Declude would likely handle 4 times the number of messages 
that mine does since I run 4 external filters, two virus scanners, 
and something like 100 Declude filters (though they mostly get 
skipped with SKIPIFWEIGHT and END statements as they are targeted).  
Running a single virus scanner and RBL's is just a fraction of the 
load.  With my pre-scanning gateways blocking more than 90% of all 
traffic (about half of that is dictionary attacks and most of the 
rest is done with 'selective greylisting'), I can scale one server to 
handle over 20,000 addresses, possibly as many as 40,000 (doesn't 
host the accounts though), so despite the heavy config, it is optimized.

But back to the real topic...I'm just guessing that 30
messages/threads is the limit for my box, but I'm sure that it isn't 
as high as 80, though setting it at 80 would be of no consequence 
outside of a prolonged heavy load caused by something like a backup 
of my spool.  It would be a bigger mistake to set it too low.

Matt



Jay Sudowski - Handy Networks LLC wrote:

  
  
30 threads seems awfully low.  We set ours to 80 on a dual xeon box
with a separate drive for spool/logging and we move right along 
without any issues.

Thanks!
-
Jay Sudowski // Handy Networks LLC
Director of Technical Operations
Providing Shared, Reseller, Semi Managed and Fully Managed Windows
2003 Hosting Solutions
Tel: 877-70 HANDY x882 |  Fax: 888-300-2FAX
www.handynetworks.com

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Tuesday, May 23, 2006 3:25 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x

Andrew,

Thanks for your notes and their history.

I'm using the following settings right now:
THREADS30
WAITFORMAIL500
WAITFORTHREADS200
WAITBETWEENTHREADS100
WINSOCKCLEANUPOFF
INVITEFIXON
AUTOREVIEWON
There are a few reasons for trying these values.
THREADS 30 - I'm pretty confident that dual 3.2 Ghz Xeons and RAID
can only handle 30 threads with average messages.  In reality, one 
single message can spike the system to 100

RE: [Declude.JunkMail] Experience with 4.x

[Jay Sudowski - Handy Networks LLC]

Sounds like you have a very intensive setup.  We run minimal filter
tests, one virus scanner and Sniffer.  When we have experienced spool
backups, I've tinkered with the number of threads and found 80 seems to
result in the best message throughput for our particular configuration.
Any lower and we were not using the available resources, and any higher
the stress on the system resulted in message processing slow downs.  If
we're facing a particularly bad queue backup, I will disable Sniffer and
can further increase the number of threads without any impact on the
overall time to process a single message.  For our customers, a small
amount of spam leakage is far better than delayed email.

We process about 200,000 - 250,000 messages per day, and the majority of
those are during normal business hours.  As you can imagine, any small
disruption to normal queue processing can result in a fairly large queue
backup - a 30 minute issue during normal business hour can result in
10,000 queued messages.

-Jay

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Wednesday, May 24, 2006 9:34 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x

Jay,

It's not about moving along, it's about limiting the CPU to only 100%, 
or at least not piling it on when it gets there.  I could be wrong in 
assuming that 1 thread = 1 message (hopefully I will be corrected if 
so), but 30 average messages being processed at once will most 
definitely peg my processors, and adding more threads when you are at 
100% will actually slow down performance.

Another note, not all systems are configured equally.  A vanilla install

of Declude would likely handle 4 times the number of messages that mine 
does since I run 4 external filters, two virus scanners, and something 
like 100 Declude filters (though they mostly get skipped with 
SKIPIFWEIGHT and END statements as they are targeted).  Running a single

virus scanner and RBL's is just a fraction of the load.  With my 
pre-scanning gateways blocking more than 90% of all traffic (about half 
of that is dictionary attacks and most of the rest is done with 
'selective greylisting'), I can scale one server to handle over 20,000 
addresses, possibly as many as 40,000 (doesn't host the accounts 
though), so despite the heavy config, it is optimized.

But back to the real topic...I'm just guessing that 30 messages/threads 
is the limit for my box, but I'm sure that it isn't as high as 80, 
though setting it at 80 would be of no consequence outside of a 
prolonged heavy load caused by something like a backup of my spool.  It 
would be a bigger mistake to set it too low.

Matt



Jay Sudowski - Handy Networks LLC wrote:

30 threads seems awfully low.  We set ours to 80 on a dual xeon box
with a separate drive for spool/logging and we move right along without
any issues.

Thanks!
-
Jay Sudowski // Handy Networks LLC
Director of Technical Operations
Providing Shared, Reseller, Semi Managed and Fully Managed Windows 2003
Hosting Solutions
Tel: 877-70 HANDY x882 |  Fax: 888-300-2FAX
www.handynetworks.com

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Tuesday, May 23, 2006 3:25 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x

Andrew,

Thanks for your notes and their history.

I'm using the following settings right now:
THREADS30
WAITFORMAIL500
WAITFORTHREADS200
WAITBETWEENTHREADS100
WINSOCKCLEANUPOFF
INVITEFIXON
AUTOREVIEWON
There are a few reasons for trying these values.
THREADS 30 - I'm pretty confident that dual 3.2 Ghz Xeons and RAID can
only handle 30 threads with average messages.  In reality, one single
message can spike the system to 100%, but these are uncommon.  I figure
that if I open this up too wide and I am dealing with a backup or
something, launching more threads when at 100% CPU utilization will
actually slow the system down.  This was the same with 2.x and before.
There is added overhead to managing threads and you don't want that to
happen on top of 100% CPU utilization.  I am going to back up my server
later tonight to see if I can't find what the magic number is since I
don't want to be below that magic number, and it would probably be best
to be a little above it.

WAITFORMAIL 500 - On my server, this never kicks in, but if it did, it
wouldn't make sense to delay for too long because I could build up
messages.  A half second seems good.

WAITFORTHREADS 200 - This apparently kicks in only when I reach my
thread limit; sort of like a throttle.  I don't want it to be too long
because this should only happen when I am hammered, but it is wise not
to keep hammering when you are at 100%.  Sort of a mixed bag choice
here.

WAITBETWEENTHREADS 100 - I see this setting as being the biggest issue
with sizing a server.  Setting it at 100 ms means that I can

RE: [Declude.JunkMail] Experience with 4.x

[David Barker]

The purpose of WINSOCKCLEANUPON is to reset the winsock, what
happens when using this setting is that when the \proc directory hit 0
decludeproc will finish processing all the messages in the \work before
checking the \proc again. As WINSOCKCLEANUP is to be used only by those who
experience DNS issues I would suggest running your tests again with
WINSOCKCLEANUP commented out and see how the behavior differs. Also having
the WAITFORMAIL to low can cause the CPU to process very high as it is
constantly checking the \proc I would suggest a minimum of 500-1000

David B
www.declude.com

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Monday, May 22, 2006 8:12 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x

Darrell,

I put up two Windows Explorer windows side-by-side under normal volume 
and the pattern was consistent where the proc folder grows while the 
work folder shrinks until the work folder hits zero at which point the 
proc folder empties out and everything lands in work and then the 
pattern repeats with proc growing while work shrinks.

My settings are as follows:

THREADS50
WAITFORMAIL100
WAITFORTHREADS10
WAITBETWEENTHREADS50
WINSOCKCLEANUPON
AUTOREVIEWON
INVITEFIXON

Matt




Darrell ([EMAIL PROTECTED]) wrote:

 It's a faulty design that leaves more than half a server's CPU 
 capacity unused due to the mere fact that they wait for all threads 
 to complete before moving in a new batch.


 I can't speak to what you see on your server, but that is not how it 
 is running on my server.  I just double checked again to make sure I 
 am not crazy, but as I watch the thread count on my server 
 (decludeproc) the threads fluctuate between 7 - 30 ( threads currently 
 set to 50).  It is not uncommon to see the threads move as follow: 
 11,8,10,7,15,  While I was watching it I never seen a case where 
 it went down low enough for the WAITFORMAIL setting to kick in.  
 Watching the proc/work directory you can see files moving in and out, 
 but never really emptying out.  Its possible what I am seeing is an 
 anomaly or maybe I am interpreting it wrong.

 Maybe David can comment on this.

 Darrell
 
 invURIBL - Intelligent URI filtering plug-in for Declude, mxGuard, and 
 ORF. Stop spam at the source the spamvertised domain.  More effective 
 than traditional RBL's.  Try it today - http://www.invariantsystems.com
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Experience with 4.x

[Darrell \([EMAIL PROTECTED])]

Matt, 

That would explain why the behavior on my server is different than yours - I 
do not use the WINSOCKCLEANUP and thus see the alternate behavior. 


Darrell
---
Check out http://www.invariantsystems.com for utilities for Declude, Imail, 
mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, SURBL/URI 
integration, MRTG Integration, and Log Parsers. 



David Barker writes: 


The purpose of WINSOCKCLEANUPON is to reset the winsock, what
happens when using this setting is that when the \proc directory hit 0
decludeproc will finish processing all the messages in the \work before
checking the \proc again. As WINSOCKCLEANUP is to be used only by those who
experience DNS issues I would suggest running your tests again with
WINSOCKCLEANUP commented out and see how the behavior differs. Also having
the WAITFORMAIL to low can cause the CPU to process very high as it is
constantly checking the \proc I would suggest a minimum of 500-1000 


David B
www.declude.com 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Monday, May 22, 2006 8:12 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x 

Darrell, 

I put up two Windows Explorer windows side-by-side under normal volume 
and the pattern was consistent where the proc folder grows while the 
work folder shrinks until the work folder hits zero at which point the 
proc folder empties out and everything lands in work and then the 
pattern repeats with proc growing while work shrinks. 

My settings are as follows: 


THREADS50
WAITFORMAIL100
WAITFORTHREADS10
WAITBETWEENTHREADS50
WINSOCKCLEANUPON
AUTOREVIEWON
INVITEFIXON 

Matt 

 



Darrell ([EMAIL PROTECTED]) wrote: 

It's a faulty design that leaves more than half a server's CPU 
capacity unused due to the mere fact that they wait for all threads 
to complete before moving in a new batch.



I can't speak to what you see on your server, but that is not how it 
is running on my server.  I just double checked again to make sure I 
am not crazy, but as I watch the thread count on my server 
(decludeproc) the threads fluctuate between 7 - 30 ( threads currently 
set to 50).  It is not uncommon to see the threads move as follow: 
11,8,10,7,15,  While I was watching it I never seen a case where 
it went down low enough for the WAITFORMAIL setting to kick in.  
Watching the proc/work directory you can see files moving in and out, 
but never really emptying out.  Its possible what I am seeing is an 
anomaly or maybe I am interpreting it wrong. 

Maybe David can comment on this. 


Darrell

invURIBL - Intelligent URI filtering plug-in for Declude, mxGuard, and 
ORF. Stop spam at the source the spamvertised domain.  More effective 
than traditional RBL's.  Try it today - http://www.invariantsystems.com

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com. 




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Experience with 4.x

[Mike N]

I found that WINSOCKCLEANUP ON would force a reset if the \proc directory 
never hits 0.   In this case, files build up in the \review subfolder which 
require manual processing.


- Original Message - 
From: David Barker [EMAIL PROTECTED]

To: Declude.JunkMail@declude.com
Sent: Tuesday, May 23, 2006 7:34 AM
Subject: RE: [Declude.JunkMail] Experience with 4.x



The purpose of WINSOCKCLEANUPON is to reset the winsock, what
happens when using this setting is that when the \proc directory hit 0
decludeproc will finish processing all the messages in the \work before
checking the \proc again.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Experience with 4.x

[David Barker]

Mike,

1. The  WINSOCKCLEANUPON activates when the \Proc reaches 0
2. If Decludeproc stops unexpectedly files it is busy with are move to the
\review
3. You can use AUTOREVIEW   ON to have these move back to the \proc
4. Be aware though if there is a real problem message you may find that the
message gets looped
5. Make sure you have the latest version of decludeproc ... There should be
a release later today or tommorow.

David B
www.declude.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike N
Sent: Tuesday, May 23, 2006 10:23 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x

I found that WINSOCKCLEANUP ON would force a reset if the \proc directory 
never hits 0.   In this case, files build up in the \review subfolder which 
require manual processing.

- Original Message -
From: David Barker [EMAIL PROTECTED]
To: Declude.JunkMail@declude.com
Sent: Tuesday, May 23, 2006 7:34 AM
Subject: RE: [Declude.JunkMail] Experience with 4.x


 The purpose of WINSOCKCLEANUPON is to reset the winsock, what
 happens when using this setting is that when the \proc directory hit 0
 decludeproc will finish processing all the messages in the \work before
 checking the \proc again.

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Experience with 4.x

[Matt]

Andrew has always been the King of Comments.



Nick Hayer wrote:

  
Very nice!
  
It looks like Matt has taught you well on how to comment a file :)
  
-Nick
  
Colbeck, Andrew wrote:
  


I'd second that... on both the
observed behaviour and the request for documentation.

I'mattaching my
highlycommented declude.cfg as a reasonable sample.

Andrew 8)




  
   From:
  [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
  On Behalf Of Matt
  Sent: Tuesday, May 23, 2006 10:36 AM
  To: Declude.JunkMail@declude.com
  Subject: Re: [Declude.JunkMail] Experience with 4.x
  
  
David,
  
That did the trick. I can't even see any messages in my proc folder
any more. I might suggest adding your explanation to the comments in
the file just in case others feel the need to turn this on like I did.
I recalled the issues from the list and I turned it on because I didn't
want the possibility of DNS crapping out and the leakage that this
would cause.
  
Here's a screen cap of what my processor graph looks like now:
  
  
  
  
Thanks,
  
Matt
  
  
  
David Barker wrote:
  
The purpose of WINSOCKCLEANUPON is to reset the winsock, what
happens when using this setting is that when the \proc directory hit 0
decludeproc will finish processing all the messages in the \work before
checking the \proc again. As WINSOCKCLEANUP is to be used only by those who
experience DNS issues I would suggest running your tests again with
WINSOCKCLEANUP commented out and see how the behavior differs. Also having
the WAITFORMAIL to low can cause the CPU to process very high as it is
constantly checking the \proc I would suggest a minimum of 500-1000

David B
www.declude.com

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Monday, May 22, 2006 8:12 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x

Darrell,

I put up two Windows Explorer windows side-by-side under normal volume 
and the pattern was consistent where the proc folder grows while the 
work folder shrinks until the work folder hits zero at which point the 
proc folder empties out and everything lands in work and then the 
pattern repeats with proc growing while work shrinks.

My settings are as follows:

THREADS50
WAITFORMAIL100
WAITFORTHREADS10
WAITBETWEENTHREADS50
WINSOCKCLEANUPON
AUTOREVIEWON
INVITEFIXON

Matt




Darrell ([EMAIL PROTECTED]) wrote:

  

  
It's a faulty design that leaves more than half a server's CPU 
capacity unused due to the mere fact that they wait for all threads 
to complete before moving in a new batch.
  
  
  I can't speak to what you see on your server, but that is not how it 
is running on my server.  I just double checked again to make sure I 
am not crazy, but as I watch the thread count on my server 
(decludeproc) the threads fluctuate between 7 - 30 ( threads currently 
set to 50).  It is not uncommon to see the threads move as follow: 
11,8,10,7,15,  While I was watching it I never seen a case where 
it went down low enough for the WAITFORMAIL setting to kick in.  
Watching the proc/work directory you can see files moving in and out, 
but never really emptying out.  Its possible what I am seeing is an 
anomaly or maybe I am interpreting it wrong.

Maybe David can comment on this.

Darrell

invURIBL - Intelligent URI filtering plug-in for Declude, mxGuard, and 
ORF. Stop spam at the source the spamvertised domain.  More effective 
than traditional RBL's.  Try it today - http://www.invariantsystems.com
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  
  

  

Re: [Declude.JunkMail] Experience with 4.x

[Matt]

Andrew,

Thanks for your notes and their history.

I'm using the following settings right now:
THREADS  30
WAITFORMAIL 500
WAITFORTHREADS  200
WAITBETWEENTHREADS 100
WINSOCKCLEANUP  OFF
INVITEFIX ON
AUTOREVIEW  ON

There are a few reasons for trying these values.
THREADS 30 - I'm pretty confident that dual 3.2 Ghz
Xeons and RAID can only handle 30 threads with average messages. In
reality, one single message can spike the system to 100%, but these are
uncommon. I figure that if I open this up too wide and I am dealing
with a backup or something, launching more threads when at 100% CPU
utilization will actually slow the system down. This was the same with
2.x and before. There is added overhead to managing threads and you
don't want that to happen on top of 100% CPU utilization. I am going
to back up my server later tonight to see if I can't find what the
magic number is since I don't want to be below that magic number, and
it would probably be best to be a little above it.
  
  WAITFORMAIL 500 - On my server, this never kicks in, but if it
did, it wouldn't make sense to delay for too long because I could build
up messages. A half second seems good.
  
  WAITFORTHREADS 200 - This apparently kicks in only when I
reach my thread limit; sort of like a throttle. I don't want it to be
too long because this should only happen when I am hammered, but it is
wise not to keep hammering when you are at 100%. Sort of a mixed bag
choice here.
  
  WAITBETWEENTHREADS 100 - I see this setting as being the
biggest issue with sizing a server. Setting it at 100 ms means that I
can only handle 10 messages per second, and this establishes an upper
limit for what the server can do. I currently average about 5
messages per second coming from my gateways at peak hours, so I figured
that to be safe, I should double that value.
  
  INVITEFIX ON - I have it on because it comes on by default and
I don't know any better. I know nothing about the cause for needing
this outside of brief comments. It seems strange that my Declude setup
could ruin an invitation unless I was using footers. If this is only
triggered by footer use, I would like to know so that I could turn it
off. I would imagine that this causes extra load to do the check.
  
  AUTOREVIEW ON - I have this on for the same reason that Andrew
pointed out. When I restart Decludeproc, messages land in my review
folder, and I don't wish to keep manually fishing things out. If there
is an issue with looping, it would be wise for Declude to make this
only trigger say every 15 minutes instead of more regularly.

Feel free to add to this if you want.

Matt











Colbeck, Andrew wrote:

  
  
  I'd second that... on both the
observed behaviour and the request for documentation.
  
  I'mattaching my
highlycommented declude.cfg as a reasonable sample.
  
  Andrew 8)
  
  
  
  

 From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Tuesday, May 23, 2006 10:36 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x


David,

That did the trick. I can't even see any messages in my proc folder
any more. I might suggest adding your explanation to the comments in
the file just in case others feel the need to turn this on like I did.
I recalled the issues from the list and I turned it on because I didn't
want the possibility of DNS crapping out and the leakage that this
would cause.

Here's a screen cap of what my processor graph looks like now:




Thanks,

Matt



David Barker wrote:

  The purpose of WINSOCKCLEANUPON is to reset the winsock, what
happens when using this setting is that when the \proc directory hit 0
decludeproc will finish processing all the messages in the \work before
checking the \proc again. As WINSOCKCLEANUP is to be used only by those who
experience DNS issues I would suggest running your tests again with
WINSOCKCLEANUP commented out and see how the behavior differs. Also having
the WAITFORMAIL to low can cause the CPU to process very high as it is
constantly checking the \proc I would suggest a minimum of 500-1000

David B
www.declude.com

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Monday, May 22, 2006 8:12 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x

Darrell,

I put up two Windows Explorer windows side-by-side under normal volume 
and the pattern was consistent where the proc folder grows while the 
work folder shrinks until the work folder hits zero at which point the 
proc folder empties out and everything lands in work and then the 
pattern repeats with proc growing while work shrinks.

My settings are as follows:

THREADS50
WAITFORMAIL100
WAITFORTHREADS10
WAITBETWEENTHREADS50
WINSOCKCLEANUPON
AUTOREVIEWON
INVITEFIXON

Matt




Darrell ([EMAIL PROTECTED]) wrote

RE: [Declude.JunkMail] Experience with 4.x

[Colbeck, Andrew]

Thanks, Nick.

It's a defensivemechanism I've used for years: keep 
the documentation with the settings. I often do the same with registry 
keys by adding a text string and blathering away. Adding dates and 
initials is also a good idea.

Andrew 8)


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Nick 
  HayerSent: Tuesday, May 23, 2006 11:33 AMTo: 
  Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] 
  Experience with 4.x
  Very nice!It looks like Matt has taught you well on how to 
  comment a file :)-NickColbeck, Andrew wrote: 
  

I'd second that... on both the observed behaviour and 
the request for documentation.

I'mattaching my highlycommented declude.cfg 
as a reasonable sample.

Andrew 8)



  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] 
  On Behalf Of MattSent: Tuesday, May 23, 2006 10:36 
  AMTo: Declude.JunkMail@declude.comSubject: 
  Re: [Declude.JunkMail] Experience with 
  4.xDavid,That did the trick. I can't 
  even see any messages in my proc folder any more. I might suggest 
  adding your explanation to the comments in the file just in case others 
  feel the need to turn this on like I did. I recalled the issues from 
  the list and I turned it on because I didn't want the possibility of DNS 
  crapping out and the leakage that this would cause.Here's a screen 
  cap of what my processor graph looks like now:
  Thanks,MattDavid Barker 
  wrote: 
  The purpose of WINSOCKCLEANUPON is to reset the winsock, what
happens when using this setting is that when the \proc directory hit 0
decludeproc will finish processing all the messages in the \work before
checking the \proc again. As WINSOCKCLEANUP is to be used only by those who
experience DNS issues I would suggest running your tests again with
WINSOCKCLEANUP commented out and see how the behavior differs. Also having
the WAITFORMAIL to low can cause the CPU to process very high as it is
constantly checking the \proc I would suggest a minimum of 500-1000

David B
www.declude.com

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Monday, May 22, 2006 8:12 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x

Darrell,

I put up two Windows Explorer windows side-by-side under normal volume 
and the pattern was consistent where the proc folder grows while the 
work folder shrinks until the work folder hits zero at which point the 
proc folder empties out and everything lands in work and then the 
pattern repeats with proc growing while work shrinks.

My settings are as follows:

THREADS50
WAITFORMAIL100
WAITFORTHREADS10
WAITBETWEENTHREADS50
WINSOCKCLEANUPON
AUTOREVIEWON
INVITEFIXON

Matt




Darrell ([EMAIL PROTECTED]) wrote:

  

  It's a faulty design that leaves more than half a server's CPU 
capacity unused due to the mere fact that they wait for all threads 
to complete before moving in a new batch.
  I can't speak to what you see on your server, but that is not how it 
is running on my server.  I just double checked again to make sure I 
am not crazy, but as I watch the thread count on my server 
(decludeproc) the threads fluctuate between 7 - 30 ( threads currently 
set to 50).  It is not uncommon to see the threads move as follow: 
11,8,10,7,15,  While I was watching it I never seen a case where 
it went down low enough for the WAITFORMAIL setting to kick in.  
Watching the proc/work directory you can see files moving in and out, 
but never really emptying out.  Its possible what I am seeing is an 
anomaly or maybe I am interpreting it wrong.

Maybe David can comment on this.

Darrell

invURIBL - Intelligent URI filtering plug-in for Declude, mxGuard, and 
ORF. Stop spam at the source the spamvertised domain.  More effective 
than traditional RBL's.  Try it today - http://www.invariantsystems.com
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  

RE: [Declude.JunkMail] Experience with 4.x

[Colbeck, Andrew]

"Those who cannot remember their mistakes are doomed to 
repeat them!"

Andrew 8)

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  MattSent: Tuesday, May 23, 2006 12:26 PMTo: 
  Declude.JunkMail@declude.comSubject: Re: [Declude.JunkMail] 
  Experience with 4.x
  Andrew has always been the King of Comments.Nick 
  Hayer wrote: 
  Very 
nice!It looks like Matt has taught you well on how to comment a 
file :)-NickColbeck, Andrew wrote: 

  
  I'd second that... on both the observed behaviour and 
  the request for documentation.
  
  I'mattaching my highlycommented 
  declude.cfg as a reasonable sample.
  
  Andrew 8)
  
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] 
On Behalf Of MattSent: Tuesday, May 23, 2006 10:36 
AMTo: Declude.JunkMail@declude.comSubject: 
Re: [Declude.JunkMail] Experience with 
4.xDavid,That did the trick. I can't 
even see any messages in my proc folder any more. I might suggest 
adding your explanation to the comments in the file just in case others 
feel the need to turn this on like I did. I recalled the issues 
from the list and I turned it on because I didn't want the possibility 
of DNS crapping out and the leakage that this would cause.Here's 
a screen cap of what my processor graph looks like now:
Thanks,MattDavid Barker 
wrote: 
The purpose of WINSOCKCLEANUPON is to reset the winsock, what
happens when using this setting is that when the \proc directory hit 0
decludeproc will finish processing all the messages in the \work before
checking the \proc again. As WINSOCKCLEANUP is to be used only by those who
experience DNS issues I would suggest running your tests again with
WINSOCKCLEANUP commented out and see how the behavior differs. Also having
the WAITFORMAIL to low can cause the CPU to process very high as it is
constantly checking the \proc I would suggest a minimum of 500-1000

David B
www.declude.com

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Monday, May 22, 2006 8:12 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x

Darrell,

I put up two Windows Explorer windows side-by-side under normal volume 
and the pattern was consistent where the proc folder grows while the 
work folder shrinks until the work folder hits zero at which point the 
proc folder empties out and everything lands in work and then the 
pattern repeats with proc growing while work shrinks.

My settings are as follows:

THREADS50
WAITFORMAIL100
WAITFORTHREADS10
WAITBETWEENTHREADS50
WINSOCKCLEANUPON
AUTOREVIEWON
INVITEFIXON

Matt




Darrell ([EMAIL PROTECTED]) wrote:

  
  
It's a faulty design that leaves more than half a server's CPU 
capacity unused due to the mere fact that they wait for all threads 
to complete before moving in a new batch.
  I can't speak to what you see on your server, but that is not how it 
is running on my server.  I just double checked again to make sure I 
am not crazy, but as I watch the thread count on my server 
(decludeproc) the threads fluctuate between 7 - 30 ( threads currently 
set to 50).  It is not uncommon to see the threads move as follow: 
11,8,10,7,15,  While I was watching it I never seen a case where 
it went down low enough for the WAITFORMAIL setting to kick in.  
Watching the proc/work directory you can see files moving in and out, 
but never really emptying out.  Its possible what I am seeing is an 
anomaly or maybe I am interpreting it wrong.

Maybe David can comment on this.

Darrell

invURIBL - Intelligent URI filtering plug-in for Declude, mxGuard, and 
ORF. Stop spam at the source the spamvertised domain.  More effective 
than traditional RBL's.  Try it today - http://www.invariantsystems.com
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  

RE: [Declude.JunkMail] Experience with 4.x

[Colbeck, Andrew]

David, is there a proactive way to detect if an installation would
benefit from the WINSOCKCLEANUP ON directive in declude.cfg?

I would rather be able to detect this while it's happening than to react
when I find that spam is leaking or that the proc folder is continually
growing.

Andrew.


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
 Sent: Tuesday, May 23, 2006 7:48 AM
 To: Declude.JunkMail@declude.com
 Subject: RE: [Declude.JunkMail] Experience with 4.x
 
 Mike,
 
 1. The  WINSOCKCLEANUPON activates when the \Proc reaches 0
 2. If Decludeproc stops unexpectedly files it is busy with 
 are move to the \review
 3. You can use AUTOREVIEW ON to have these move back to the \proc
 4. Be aware though if there is a real problem message you may 
 find that the message gets looped 5. Make sure you have the 
 latest version of decludeproc ... There should be a release 
 later today or tommorow.
 
 David B
 www.declude.com
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Mike N
 Sent: Tuesday, May 23, 2006 10:23 AM
 To: Declude.JunkMail@declude.com
 Subject: Re: [Declude.JunkMail] Experience with 4.x
 
 I found that WINSOCKCLEANUP ON would force a reset if the 
 \proc directory 
 never hits 0.   In this case, files build up in the \review 
 subfolder which 
 require manual processing.
 
 - Original Message -
 From: David Barker [EMAIL PROTECTED]
 To: Declude.JunkMail@declude.com
 Sent: Tuesday, May 23, 2006 7:34 AM
 Subject: RE: [Declude.JunkMail] Experience with 4.x
 
 
  The purpose of WINSOCKCLEANUPON is to reset the 
 winsock, what
  happens when using this setting is that when the \proc 
 directory hit 0 
  decludeproc will finish processing all the messages in the \work 
  before checking the \proc again.
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To 
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
 type unsubscribe Declude.JunkMail.  The archives can be 
 found at http://www.mail-archive.com.
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To 
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
 type unsubscribe Declude.JunkMail.  The archives can be 
 found at http://www.mail-archive.com.
 
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Experience with 4.x

[Matt]

I have an idea. Maybe this should be triggered automatically if every
DNS lookup times out on a single message. That way we wouldn't have to
set it, and it would only be called when conditions warrant.

Matt



Colbeck, Andrew wrote:

  David, is there a proactive way to detect if an installation would
benefit from the WINSOCKCLEANUP ON directive in declude.cfg?

I would rather be able to detect this while it's happening than to react
when I find that spam is leaking or that the proc folder is continually
growing.

Andrew.


  
  
-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of David Barker
Sent: Tuesday, May 23, 2006 7:48 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Experience with 4.x

Mike,

1. The  WINSOCKCLEANUPON activates when the \Proc reaches 0
2. If Decludeproc stops unexpectedly files it is busy with 
are move to the \review
3. You can use AUTOREVIEW	ON to have these move back to the \proc
4. Be aware though if there is a real problem message you may 
find that the message gets looped 5. Make sure you have the 
latest version of decludeproc ... There should be a release 
later today or tommorow.

David B
www.declude.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Mike N
Sent: Tuesday, May 23, 2006 10:23 AM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Experience with 4.x

I found that WINSOCKCLEANUP ON would force a reset if the 
\proc directory 
never hits 0.   In this case, files build up in the \review 
subfolder which 
require manual processing.

- Original Message -
From: "David Barker" [EMAIL PROTECTED]
To: Declude.JunkMail@declude.com
Sent: Tuesday, May 23, 2006 7:34 AM
Subject: RE: [Declude.JunkMail] Experience with 4.x




  The purpose of WINSOCKCLEANUPON is to reset the 
  

winsock, what


  happens when using this setting is that when the \proc 
  

directory hit 0 


  decludeproc will finish processing all the messages in the \work 
before checking the \proc again.
  

---
This E-mail came from the Declude.JunkMail mailing list.  To 
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
type "unsubscribe Declude.JunkMail".  The archives can be 
found at http://www.mail-archive.com.

---
This E-mail came from the Declude.JunkMail mailing list.  To 
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
type "unsubscribe Declude.JunkMail".  The archives can be 
found at http://www.mail-archive.com.


  
  ---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  

RE: [Declude.JunkMail] Experience with 4.x

[Colbeck, Andrew]

David, that sounds like the case I saw that noted that his firewall
wasn't allowing outbound DNS and also noted that implementing
WINSOCKCLEANUP ON worked for him.  I wasn't at all sure that the winsock
fix was relevant for him!

I'll keep watching my folders.  Perhaps I'll get lucky enough to need to
the fix and may offer some further insight here.

Andrew.


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
 Sent: Tuesday, May 23, 2006 3:30 PM
 To: Declude.JunkMail@declude.com
 Subject: RE: [Declude.JunkMail] Experience with 4.x
 
 The only way that we have detected this was with Imail and 
 mail being stuck in the spool. ...network stack causing loss 
 of functionality for basic network operations is generic but 
 if I remember correctly when this happened the admin was not 
 even able to ping an outside server, which would suggest to 
 me other IP communications fail as well.
 
 David B
 www.declude.com
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Colbeck, Andrew
 Sent: Tuesday, May 23, 2006 6:26 PM
 To: Declude.JunkMail@declude.com
 Subject: RE: [Declude.JunkMail] Experience with 4.x
 
 Thanks, David.
 
 I've read all of the support forum emails that have been 
 posted on the WINSOCKCLEANUP and even reviewed them again via 
 the mail archive website before my own implementation.
 
 What I haven't been able to tell is whether I can diagnose 
 this issue if I have it before it becomes an outage.
 
 Can it only be detected by it's side-effect of filling up the 
 proc folder?
 
 If I have a mechanism on my IMail server that does DNS 
 queries... Will they fail when the WinSock needs being 
 cleaned up?  I think not, as at least one posting 
 specifically mentioned that IMail IP4R tests worked when 
 DecludeProc IP4R tests timed out.
 
 Your official description for WINSOCKCLEANUP ON says 
 ...network stack causing loss of functionality for basic 
 network operations; is this deliberately generic so that you 
 don't have to explain what a DNS test is, or does it imply 
 that other IP communications will also fail, e.g.
 SMTP and (critically for me) RDP?
 
 Andrew.
 
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of 
 David Barker
  Sent: Tuesday, May 23, 2006 3:12 PM
  To: Declude.JunkMail@declude.com
  Subject: RE: [Declude.JunkMail] Experience with 4.x
  
  Andrew,
  
  In certain cases we found that Imail would stop resolving, 
 it seemed 
  that stop/starting the decludeproc or smtp service fixed 
 the problem 
  by resetting the winsock. So we added WINSOCKCLEANUP to 
 deal with this 
  specific Imail issue.
  
  David B
  www.declude.com
  
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, 
  Andrew
  Sent: Tuesday, May 23, 2006 3:45 PM
  To: Declude.JunkMail@declude.com
  Subject: RE: [Declude.JunkMail] Experience with 4.x
  
  David, is there a proactive way to detect if an installation would 
  benefit from the WINSOCKCLEANUP ON directive in declude.cfg?
  
  I would rather be able to detect this while it's happening than to 
  react when I find that spam is leaking or that the proc folder is 
  continually growing.
  
  Andrew.
  
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of
  David Barker
   Sent: Tuesday, May 23, 2006 7:48 AM
   To: Declude.JunkMail@declude.com
   Subject: RE: [Declude.JunkMail] Experience with 4.x
   
   Mike,
   
   1. The  WINSOCKCLEANUPON activates when the \Proc 
 reaches 0
   2. If Decludeproc stops unexpectedly files it is busy with
  are move to
   the \review
   3. You can use AUTOREVIEW ON to have these move back to the \proc
   4. Be aware though if there is a real problem message you 
 may find 
   that the message gets looped 5. Make sure you have the
  latest version
   of decludeproc ... There should be a release later today or
  tommorow.
   
   David B
   www.declude.com
   
   
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of Mike N
   Sent: Tuesday, May 23, 2006 10:23 AM
   To: Declude.JunkMail@declude.com
   Subject: Re: [Declude.JunkMail] Experience with 4.x
   
   I found that WINSOCKCLEANUP ON would force a reset if the \proc 
   directory
   never hits 0.   In this case, files build up in the \review 
   subfolder which
   require manual processing.
   
   - Original Message -
   From: David Barker [EMAIL PROTECTED]
   To: Declude.JunkMail@declude.com
   Sent: Tuesday, May 23, 2006 7:34 AM
   Subject: RE: [Declude.JunkMail] Experience with 4.x
   
   
The purpose of WINSOCKCLEANUPON is to reset the 
   winsock, what
happens when using this setting is that when the \proc
   directory hit 0
decludeproc will finish processing all the messages in 
 the \work 
before checking the \proc again

RE: [Declude.JunkMail] Experience with 4.x

[David Barker]

Thanks for the help. Any feedback appreciated.

David B
www.declude.com 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew
Sent: Tuesday, May 23, 2006 6:36 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Experience with 4.x

David, that sounds like the case I saw that noted that his firewall wasn't
allowing outbound DNS and also noted that implementing WINSOCKCLEANUP ON
worked for him.  I wasn't at all sure that the winsock fix was relevant for
him!

I'll keep watching my folders.  Perhaps I'll get lucky enough to need to the
fix and may offer some further insight here.

Andrew.


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
 Sent: Tuesday, May 23, 2006 3:30 PM
 To: Declude.JunkMail@declude.com
 Subject: RE: [Declude.JunkMail] Experience with 4.x
 
 The only way that we have detected this was with Imail and mail being 
 stuck in the spool. ...network stack causing loss of functionality 
 for basic network operations is generic but if I remember correctly 
 when this happened the admin was not even able to ping an outside 
 server, which would suggest to me other IP communications fail as 
 well.
 
 David B
 www.declude.com
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, 
 Andrew
 Sent: Tuesday, May 23, 2006 6:26 PM
 To: Declude.JunkMail@declude.com
 Subject: RE: [Declude.JunkMail] Experience with 4.x
 
 Thanks, David.
 
 I've read all of the support forum emails that have been posted on the 
 WINSOCKCLEANUP and even reviewed them again via the mail archive 
 website before my own implementation.
 
 What I haven't been able to tell is whether I can diagnose this issue 
 if I have it before it becomes an outage.
 
 Can it only be detected by it's side-effect of filling up the proc 
 folder?
 
 If I have a mechanism on my IMail server that does DNS queries... Will 
 they fail when the WinSock needs being cleaned up?  I think not, as at 
 least one posting specifically mentioned that IMail IP4R tests worked 
 when DecludeProc IP4R tests timed out.
 
 Your official description for WINSOCKCLEANUP ON says ...network 
 stack causing loss of functionality for basic network operations; is 
 this deliberately generic so that you don't have to explain what a DNS 
 test is, or does it imply that other IP communications will also fail, 
 e.g.
 SMTP and (critically for me) RDP?
 
 Andrew.
 
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of
 David Barker
  Sent: Tuesday, May 23, 2006 3:12 PM
  To: Declude.JunkMail@declude.com
  Subject: RE: [Declude.JunkMail] Experience with 4.x
  
  Andrew,
  
  In certain cases we found that Imail would stop resolving,
 it seemed
  that stop/starting the decludeproc or smtp service fixed
 the problem
  by resetting the winsock. So we added WINSOCKCLEANUP to
 deal with this
  specific Imail issue.
  
  David B
  www.declude.com
  
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, 
  Andrew
  Sent: Tuesday, May 23, 2006 3:45 PM
  To: Declude.JunkMail@declude.com
  Subject: RE: [Declude.JunkMail] Experience with 4.x
  
  David, is there a proactive way to detect if an installation would 
  benefit from the WINSOCKCLEANUP ON directive in declude.cfg?
  
  I would rather be able to detect this while it's happening than to 
  react when I find that spam is leaking or that the proc folder is 
  continually growing.
  
  Andrew.
  
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of
  David Barker
   Sent: Tuesday, May 23, 2006 7:48 AM
   To: Declude.JunkMail@declude.com
   Subject: RE: [Declude.JunkMail] Experience with 4.x
   
   Mike,
   
   1. The  WINSOCKCLEANUPON activates when the \Proc 
 reaches 0
   2. If Decludeproc stops unexpectedly files it is busy with
  are move to
   the \review
   3. You can use AUTOREVIEW ON to have these move back to the \proc
   4. Be aware though if there is a real problem message you
 may find
   that the message gets looped 5. Make sure you have the
  latest version
   of decludeproc ... There should be a release later today or
  tommorow.
   
   David B
   www.declude.com
   
   
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of Mike N
   Sent: Tuesday, May 23, 2006 10:23 AM
   To: Declude.JunkMail@declude.com
   Subject: Re: [Declude.JunkMail] Experience with 4.x
   
   I found that WINSOCKCLEANUP ON would force a reset if the \proc 
   directory
   never hits 0.   In this case, files build up in the \review 
   subfolder which
   require manual processing.
   
   - Original Message -
   From: David Barker [EMAIL PROTECTED]
   To: Declude.JunkMail@declude.com
   Sent: Tuesday, May 23, 2006 7:34 AM
   Subject: RE: [Declude.JunkMail] Experience

RE: [Declude.JunkMail] Experience with 4.x

[John Doyle]

Andrew

I had this problme last year, decludeproc will suffer memory creep, slowly
building over time.
You can see if it's happening by opening taskmanager and checking the memory
used by decludeproc.
For us it would run for about 4 hours before a problem arose.

I can't remember what finally fixed the problem for us. I have used the
dnsoverride function to direct it to a less used dns server. But I can't
recall if that was the fix or not. We might have had a firewall port issue.

I'd turn the winsockcleanup off and monitor your memory usage. If it keeps
creeping up turn it back on.

John



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Colbeck, Andrew
Sent: Tuesday, May 23, 2006 3:26 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Experience with 4.x


Thanks, David.

I've read all of the support forum emails that have been posted on the
WINSOCKCLEANUP and even reviewed them again via the mail archive website
before my own implementation.

What I haven't been able to tell is whether I can diagnose this issue if
I have it before it becomes an outage.

Can it only be detected by it's side-effect of filling up the proc
folder?

If I have a mechanism on my IMail server that does DNS queries... Will
they fail when the WinSock needs being cleaned up?  I think not, as at
least one posting specifically mentioned that IMail IP4R tests worked
when DecludeProc IP4R tests timed out.

Your official description for WINSOCKCLEANUP ON says ...network stack
causing loss of functionality for basic network operations; is this
deliberately generic so that you don't have to explain what a DNS test
is, or does it imply that other IP communications will also fail, e.g.
SMTP and (critically for me) RDP?

Andrew.



 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
 Sent: Tuesday, May 23, 2006 3:12 PM
 To: Declude.JunkMail@declude.com
 Subject: RE: [Declude.JunkMail] Experience with 4.x

 Andrew,

 In certain cases we found that Imail would stop resolving, it
 seemed that stop/starting the decludeproc or smtp service
 fixed the problem by resetting the winsock. So we added
 WINSOCKCLEANUP to deal with this specific Imail issue.

 David B
 www.declude.com

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Colbeck, Andrew
 Sent: Tuesday, May 23, 2006 3:45 PM
 To: Declude.JunkMail@declude.com
 Subject: RE: [Declude.JunkMail] Experience with 4.x

 David, is there a proactive way to detect if an installation
 would benefit from the WINSOCKCLEANUP ON directive in declude.cfg?

 I would rather be able to detect this while it's happening
 than to react when I find that spam is leaking or that the
 proc folder is continually growing.

 Andrew.


  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of
 David Barker
  Sent: Tuesday, May 23, 2006 7:48 AM
  To: Declude.JunkMail@declude.com
  Subject: RE: [Declude.JunkMail] Experience with 4.x
 
  Mike,
 
  1. The  WINSOCKCLEANUPON activates when the \Proc reaches 0
  2. If Decludeproc stops unexpectedly files it is busy with
 are move to
  the \review
  3. You can use AUTOREVIEW   ON to have these move back to the \proc
  4. Be aware though if there is a real problem message you may find
  that the message gets looped 5. Make sure you have the
 latest version
  of decludeproc ... There should be a release later today or
 tommorow.
 
  David B
  www.declude.com
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Mike N
  Sent: Tuesday, May 23, 2006 10:23 AM
  To: Declude.JunkMail@declude.com
  Subject: Re: [Declude.JunkMail] Experience with 4.x
 
  I found that WINSOCKCLEANUP ON would force a reset if the \proc
  directory
  never hits 0.   In this case, files build up in the \review
  subfolder which
  require manual processing.
 
  - Original Message -
  From: David Barker [EMAIL PROTECTED]
  To: Declude.JunkMail@declude.com
  Sent: Tuesday, May 23, 2006 7:34 AM
  Subject: RE: [Declude.JunkMail] Experience with 4.x
 
 
   The purpose of WINSOCKCLEANUPON is to reset the
  winsock, what
   happens when using this setting is that when the \proc
  directory hit 0
   decludeproc will finish processing all the messages in the \work
   before checking the \proc again.
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
  unsubscribe Declude.JunkMail.  The archives can be found at
  http://www.mail-archive.com.
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
  unsubscribe Declude.JunkMail.  The archives can be found at
  http://www.mail-archive.com.
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL

RE: [Declude.JunkMail] Experience with 4.x

[John Doyle]

This sounds like me.

I found some notes from my issue back in December.

When upgrading to v 3 from v 2x we would loose connectivity every 3 or 4
hours.
We finally figured out Decludeproc needs to get out on port 53 for some dns
function.
We allowed outbound port 53 for dns and the problem went away. This
apparently is for the initial authorization of the software. I think this is
a one time event.

Upgrading from V3 to V4 we had the same problem. It was resolved with a
phone call to Declude and the discovery that that the initial authorization
had been
moved from port 53 to port 25. After making that change to the firewall V4
runs fine.

Good luck


John

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Colbeck, Andrew
Sent: Tuesday, May 23, 2006 3:36 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Experience with 4.x


David, that sounds like the case I saw that noted that his firewall
wasn't allowing outbound DNS and also noted that implementing
WINSOCKCLEANUP ON worked for him.  I wasn't at all sure that the winsock
fix was relevant for him!

I'll keep watching my folders.  Perhaps I'll get lucky enough to need to
the fix and may offer some further insight here.

Andrew.


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
 Sent: Tuesday, May 23, 2006 3:30 PM
 To: Declude.JunkMail@declude.com
 Subject: RE: [Declude.JunkMail] Experience with 4.x

 The only way that we have detected this was with Imail and
 mail being stuck in the spool. ...network stack causing loss
 of functionality for basic network operations is generic but
 if I remember correctly when this happened the admin was not
 even able to ping an outside server, which would suggest to
 me other IP communications fail as well.

 David B
 www.declude.com

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Colbeck, Andrew
 Sent: Tuesday, May 23, 2006 6:26 PM
 To: Declude.JunkMail@declude.com
 Subject: RE: [Declude.JunkMail] Experience with 4.x

 Thanks, David.

 I've read all of the support forum emails that have been
 posted on the WINSOCKCLEANUP and even reviewed them again via
 the mail archive website before my own implementation.

 What I haven't been able to tell is whether I can diagnose
 this issue if I have it before it becomes an outage.

 Can it only be detected by it's side-effect of filling up the
 proc folder?

 If I have a mechanism on my IMail server that does DNS
 queries... Will they fail when the WinSock needs being
 cleaned up?  I think not, as at least one posting
 specifically mentioned that IMail IP4R tests worked when
 DecludeProc IP4R tests timed out.

 Your official description for WINSOCKCLEANUP ON says
 ...network stack causing loss of functionality for basic
 network operations; is this deliberately generic so that you
 don't have to explain what a DNS test is, or does it imply
 that other IP communications will also fail, e.g.
 SMTP and (critically for me) RDP?

 Andrew.



  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of
 David Barker
  Sent: Tuesday, May 23, 2006 3:12 PM
  To: Declude.JunkMail@declude.com
  Subject: RE: [Declude.JunkMail] Experience with 4.x
 
  Andrew,
 
  In certain cases we found that Imail would stop resolving,
 it seemed
  that stop/starting the decludeproc or smtp service fixed
 the problem
  by resetting the winsock. So we added WINSOCKCLEANUP to
 deal with this
  specific Imail issue.
 
  David B
  www.declude.com
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck,
  Andrew
  Sent: Tuesday, May 23, 2006 3:45 PM
  To: Declude.JunkMail@declude.com
  Subject: RE: [Declude.JunkMail] Experience with 4.x
 
  David, is there a proactive way to detect if an installation would
  benefit from the WINSOCKCLEANUP ON directive in declude.cfg?
 
  I would rather be able to detect this while it's happening than to
  react when I find that spam is leaking or that the proc folder is
  continually growing.
 
  Andrew.
 
 
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of
  David Barker
   Sent: Tuesday, May 23, 2006 7:48 AM
   To: Declude.JunkMail@declude.com
   Subject: RE: [Declude.JunkMail] Experience with 4.x
  
   Mike,
  
   1. The  WINSOCKCLEANUPON activates when the \Proc
 reaches 0
   2. If Decludeproc stops unexpectedly files it is busy with
  are move to
   the \review
   3. You can use AUTOREVIEW ON to have these move back to the \proc
   4. Be aware though if there is a real problem message you
 may find
   that the message gets looped 5. Make sure you have the
  latest version
   of decludeproc ... There should be a release later today or
  tommorow.
  
   David B
   www.declude.com
  
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED

RE: [Declude.JunkMail] Experience with 4.x

[Colbeck, Andrew]

Thanks for ringing in, John.

Wow, this new-fangled support forum thingy does have it's uses!

Andrew 8)

 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of John Doyle
 Sent: Tuesday, May 23, 2006 4:13 PM
 To: Declude.JunkMail@declude.com
 Subject: RE: [Declude.JunkMail] Experience with 4.x
 
 This sounds like me.
 
 I found some notes from my issue back in December.
 
 When upgrading to v 3 from v 2x we would loose connectivity 
 every 3 or 4 hours.
 We finally figured out Decludeproc needs to get out on port 
 53 for some dns function.
 We allowed outbound port 53 for dns and the problem went 
 away. This apparently is for the initial authorization of the 
 software. I think this is a one time event.
 
 Upgrading from V3 to V4 we had the same problem. It was 
 resolved with a phone call to Declude and the discovery that 
 that the initial authorization had been moved from port 53 to 
 port 25. After making that change to the firewall V4 runs fine.
 
 Good luck
 
 
 John
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of 
 Colbeck, Andrew
 Sent: Tuesday, May 23, 2006 3:36 PM
 To: Declude.JunkMail@declude.com
 Subject: RE: [Declude.JunkMail] Experience with 4.x
 
 
 David, that sounds like the case I saw that noted that his 
 firewall wasn't allowing outbound DNS and also noted that 
 implementing WINSOCKCLEANUP ON worked for him.  I wasn't at 
 all sure that the winsock fix was relevant for him!
 
 I'll keep watching my folders.  Perhaps I'll get lucky enough 
 to need to the fix and may offer some further insight here.
 
 Andrew.
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of 
 David Barker
  Sent: Tuesday, May 23, 2006 3:30 PM
  To: Declude.JunkMail@declude.com
  Subject: RE: [Declude.JunkMail] Experience with 4.x
 
  The only way that we have detected this was with Imail and 
 mail being 
  stuck in the spool. ...network stack causing loss of functionality 
  for basic network operations is generic but if I remember 
 correctly 
  when this happened the admin was not even able to ping an outside 
  server, which would suggest to me other IP communications fail as 
  well.
 
  David B
  www.declude.com
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, 
  Andrew
  Sent: Tuesday, May 23, 2006 6:26 PM
  To: Declude.JunkMail@declude.com
  Subject: RE: [Declude.JunkMail] Experience with 4.x
 
  Thanks, David.
 
  I've read all of the support forum emails that have been 
 posted on the 
  WINSOCKCLEANUP and even reviewed them again via the mail archive 
  website before my own implementation.
 
  What I haven't been able to tell is whether I can diagnose 
 this issue 
  if I have it before it becomes an outage.
 
  Can it only be detected by it's side-effect of filling up the proc 
  folder?
 
  If I have a mechanism on my IMail server that does DNS 
 queries... Will 
  they fail when the WinSock needs being cleaned up?  I think 
 not, as at 
  least one posting specifically mentioned that IMail IP4R 
 tests worked 
  when DecludeProc IP4R tests timed out.
 
  Your official description for WINSOCKCLEANUP ON says ...network 
  stack causing loss of functionality for basic network 
 operations; is 
  this deliberately generic so that you don't have to explain 
 what a DNS 
  test is, or does it imply that other IP communications will 
 also fail, 
  e.g.
  SMTP and (critically for me) RDP?
 
  Andrew.
 
 
 
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of
  David Barker
   Sent: Tuesday, May 23, 2006 3:12 PM
   To: Declude.JunkMail@declude.com
   Subject: RE: [Declude.JunkMail] Experience with 4.x
  
   Andrew,
  
   In certain cases we found that Imail would stop resolving,
  it seemed
   that stop/starting the decludeproc or smtp service fixed
  the problem
   by resetting the winsock. So we added WINSOCKCLEANUP to
  deal with this
   specific Imail issue.
  
   David B
   www.declude.com
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, 
   Andrew
   Sent: Tuesday, May 23, 2006 3:45 PM
   To: Declude.JunkMail@declude.com
   Subject: RE: [Declude.JunkMail] Experience with 4.x
  
   David, is there a proactive way to detect if an 
 installation would 
   benefit from the WINSOCKCLEANUP ON directive in declude.cfg?
  
   I would rather be able to detect this while it's 
 happening than to 
   react when I find that spam is leaking or that the proc folder is 
   continually growing.
  
   Andrew.
  
  
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
   David Barker
Sent: Tuesday, May 23, 2006 7:48 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Experience with 4.x
   
Mike,
   
1. The  WINSOCKCLEANUP

RE: [Declude.JunkMail] Experience with 4.x

[Colbeck, Andrew]

John,

I've been monitoring DecludeProc.exe with Performance Monitor,
specifically, the  process counters for threads, cpu, handles and
working set memory and have not seen any leaks.

It was through monitoring the threads that I was able to comment on the
sawtooth pattern that Matt and I were both seeing.

I'm also using an in-house script to count the number of message files
in the proc folder and email the results if the count is more than 100
to an internal mailserver's IP address thanks to a 3rd party SMTP tool
(postie.exe)... That whole bandaid mechanism should survive any DNS
relates WinSock outage.  I think I've got my belt and suspenders on.

Andrew 8)


 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of John Doyle
 Sent: Tuesday, May 23, 2006 3:43 PM
 To: Declude.JunkMail@declude.com
 Subject: RE: [Declude.JunkMail] Experience with 4.x
 
 Andrew
 
 I had this problme last year, decludeproc will suffer memory 
 creep, slowly building over time.
 You can see if it's happening by opening taskmanager and 
 checking the memory used by decludeproc.
 For us it would run for about 4 hours before a problem arose.
 
 I can't remember what finally fixed the problem for us. I 
 have used the dnsoverride function to direct it to a less 
 used dns server. But I can't recall if that was the fix or 
 not. We might have had a firewall port issue.
 
 I'd turn the winsockcleanup off and monitor your memory 
 usage. If it keeps creeping up turn it back on.
 
 John
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of 
 Colbeck, Andrew
 Sent: Tuesday, May 23, 2006 3:26 PM
 To: Declude.JunkMail@declude.com
 Subject: RE: [Declude.JunkMail] Experience with 4.x
 
 
 Thanks, David.
 
 I've read all of the support forum emails that have been 
 posted on the WINSOCKCLEANUP and even reviewed them again via 
 the mail archive website before my own implementation.
 
 What I haven't been able to tell is whether I can diagnose 
 this issue if I have it before it becomes an outage.
 
 Can it only be detected by it's side-effect of filling up the 
 proc folder?
 
 If I have a mechanism on my IMail server that does DNS 
 queries... Will they fail when the WinSock needs being 
 cleaned up?  I think not, as at least one posting 
 specifically mentioned that IMail IP4R tests worked when 
 DecludeProc IP4R tests timed out.
 
 Your official description for WINSOCKCLEANUP ON says 
 ...network stack causing loss of functionality for basic 
 network operations; is this deliberately generic so that you 
 don't have to explain what a DNS test is, or does it imply 
 that other IP communications will also fail, e.g.
 SMTP and (critically for me) RDP?
 
 Andrew.
 
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of 
 David Barker
  Sent: Tuesday, May 23, 2006 3:12 PM
  To: Declude.JunkMail@declude.com
  Subject: RE: [Declude.JunkMail] Experience with 4.x
 
  Andrew,
 
  In certain cases we found that Imail would stop resolving, 
 it seemed 
  that stop/starting the decludeproc or smtp service fixed 
 the problem 
  by resetting the winsock. So we added WINSOCKCLEANUP to 
 deal with this 
  specific Imail issue.
 
  David B
  www.declude.com
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, 
  Andrew
  Sent: Tuesday, May 23, 2006 3:45 PM
  To: Declude.JunkMail@declude.com
  Subject: RE: [Declude.JunkMail] Experience with 4.x
 
  David, is there a proactive way to detect if an installation would 
  benefit from the WINSOCKCLEANUP ON directive in declude.cfg?
 
  I would rather be able to detect this while it's happening than to 
  react when I find that spam is leaking or that the proc folder is 
  continually growing.
 
  Andrew.
 
 
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of
  David Barker
   Sent: Tuesday, May 23, 2006 7:48 AM
   To: Declude.JunkMail@declude.com
   Subject: RE: [Declude.JunkMail] Experience with 4.x
  
   Mike,
  
   1. The  WINSOCKCLEANUPON activates when the \Proc 
 reaches 0
   2. If Decludeproc stops unexpectedly files it is busy with
  are move to
   the \review
   3. You can use AUTOREVIEW ON to have these move back to the \proc
   4. Be aware though if there is a real problem message you 
 may find 
   that the message gets looped 5. Make sure you have the
  latest version
   of decludeproc ... There should be a release later today or
  tommorow.
  
   David B
   www.declude.com
  
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of Mike N
   Sent: Tuesday, May 23, 2006 10:23 AM
   To: Declude.JunkMail@declude.com
   Subject: Re: [Declude.JunkMail] Experience with 4.x
  
   I found that WINSOCKCLEANUP ON would force a reset if the \proc 
   directory
   never hits 0.   In this case, files build up in the \review

Re: [Declude.JunkMail] Experience with 4.x

[Darrell \([EMAIL PROTECTED])]

The problem with this architecture is that when it moves a batch of 
messages into the work folder for processing, it quickly pegs the 
processor at 100% as it launches all of the threads, but most messages go 
through all of the steps quickly so the processors sit almost idle while 
it is waiting for DNS lookups and virus scanning (which I do after JM).  
Here's a sample of my combined CPU graph showing the pattern that this 
creates:


I commented along time ago about this.  Declude does give you options to 
work with this.  Essentially changing your WAITBETWEENTHREADS setting works 
around this fairly decent.  I use it to give just a bit of time between each 
of the threads to prevent (50+ external programs from being called at once. 

Now as you tweak that setting and others you will give yourself a more 
predictable cpu curve line.  By tweaking the settings you can keep 
decludeproc processing messages and hopefully never entering the 
WAITFORMAIL cycle. 

Darrell 


---
Check out http://www.invariantsystems.com for utilities for Declude, Imail, 
mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, SURBL/URI 
integration, MRTG Integration, and Log Parsers.

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Experience with 4.x

[Matt]

Darrell,

I've tweaked the settings, knowing the issues before I tried 4.x.  The 
problem is that because they are batch processing and because there is 
significant latency in scanning some messages to factors such as 
messages size, virus scanning and DNS timeouts, the server does nothing 
for long periods while it waits for one task to finish regardless of 
whether there is one message in proc or there are 1 million messages in 
proc.


It's a faulty design that leaves more than half a server's CPU capacity 
unused due to the mere fact that they wait for all threads to complete 
before moving in a new batch.


Matt



Darrell ([EMAIL PROTECTED]) wrote:

The problem with this architecture is that when it moves a batch of 
messages into the work folder for processing, it quickly pegs the 
processor at 100% as it launches all of the threads, but most 
messages go through all of the steps quickly so the processors sit 
almost idle while it is waiting for DNS lookups and virus scanning 
(which I do after JM).  Here's a sample of my combined CPU graph 
showing the pattern that this creates:



I commented along time ago about this.  Declude does give you options 
to work with this.  Essentially changing your WAITBETWEENTHREADS 
setting works around this fairly decent.  I use it to give just a bit 
of time between each of the threads to prevent (50+ external programs 
from being called at once.
Now as you tweak that setting and others you will give yourself a more 
predictable cpu curve line.  By tweaking the settings you can keep 
decludeproc processing messages and hopefully never entering the 
WAITFORMAIL cycle.

Darrell
---
Check out http://www.invariantsystems.com for utilities for Declude, 
Imail, mxGuard, and ORF.  IMail/Declude Overflow Queue Monitoring, 
SURBL/URI integration, MRTG Integration, and Log Parsers.

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Experience with 4.x

[Darrell \([EMAIL PROTECTED])]

It's a faulty design that leaves more than half a server's CPU capacity 
unused due to the mere fact that they wait for all threads to complete 
before moving in a new batch.


I can't speak to what you see on your server, but that is not how it is 
running on my server.  I just double checked again to make sure I am not 
crazy, but as I watch the thread count on my server (decludeproc) the 
threads fluctuate between 7 - 30 ( threads currently set to 50).  It is not 
uncommon to see the threads move as follow: 11,8,10,7,15,  While I was 
watching it I never seen a case where it went down low enough for the 
WAITFORMAIL setting to kick in.  Watching the proc/work directory you can 
see files moving in and out, but never really emptying out.  Its possible 
what I am seeing is an anomaly or maybe I am interpreting it wrong.


Maybe David can comment on this.

Darrell

invURIBL - Intelligent URI filtering plug-in for Declude, mxGuard, and ORF. 
Stop spam at the source the spamvertised domain.  More effective than 
traditional RBL's.  Try it today - http://www.invariantsystems.com 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Experience with 4.x

[Matt]

I have a few more things to add now with a little more testing.

I let my gateways backup on E-mail so that I could slam Declude, and
here's what happens.

When Declude is not hitting it's THREADS setting, it waits until the
work folder is empty before moving in a new batch. When Declude is
hitting the THREADS setting, it seems to move in messages just as
quickly as the threads are freed up. As soon as the proc folder no
longer contains more messages than your THREADS setting, Declude again
starts waiting until the work directory is empty before moving in
another batch. Here's a graph of one of these periods:




So while hitting your thread limit, it seems to be able to reach
virtually full server capacity, but it performs much differently when
you are under your THREADS capacity. This suggests that it is a bad
idea to have your THREADS setting too high, though this is only because
of the strange way that Declude acts.

It should be able to do almost 100% under these circumstances, but it's
not optimal behavior.

Matt






Matt wrote:

  
I figured that i would just start a new thread for this instead of
adding to the old one.
  
This was the first time that I have used a version of Declude that runs
as a service. I'm unfortunately surprised and disappointed at how it
handles things, but a lot more makes sense now.
  
In a nutshell, what happens is now Declude batch processes messages,
and waits for every message from a batch to complete processing before
it grabs a new batch. The time that it takes for a batch to process is
variable, and mostly depends on virus scanning and DNS
timeouts/slowness. Some batches complete in 10 seconds, but some take
more than a minute. The one that I noticed that took over a minute was
the result of 3/4 of that time spent on the last message which needed
to be virus scanned, and the message was large so it took a while to be
virus scanned.
  
The problem with this architecture is that when it moves a batch of
messages into the work folder for processing, it quickly pegs the
processor at 100% as it launches all of the threads, but most messages
go through all of the steps quickly so the processors sit almost idle
while it is waiting for DNS lookups and virus scanning (which I do
after JM). Here's a sample of my combined CPU graph showing the
pattern that this creates:
  
  
  
  
This is actually the most optimal pattern, but in one where there is a
significant delay in one message can go on for over a minute at lower
than 5% CPU utilization while it waits for one message that requires
extra work. During peak times on my server, I am seeing between 10 and
40 messages being moved to "work" at one time.
  
The net result of this is that my server will only handle less than
half the number of the number of messages that it could if I could
actually ride 100% and launch threads as messages came in instead of in
threads. Under this architecture, there is nothing that I can do about
this. I also don't like the idea of hitting 100% so frequently as it
does since running at 100% causes a much increased chance of
instability.
  
This architecture also explains why so many posted here about E-mail
backups. Their default settings would move in less messages than they
were collecting in the proc folder while waiting for things to be
processed. I'm sure that this graph doesn't look nearly as bad with a
vanilla install of Declude, but with 4 external tests, one of which
does multiple serial DNS lookups, and then the latency of having two
virus scanners run in serial means that finishing up a batch takes more
time, which is less time that the CPU is actually doing much.
  
Others have reported that Declude 3+ is faster than 2-. I run SNMP
monitoring of my server's CPU that takes one minute averages, and when
you average those out over an hour, my peaks are maybe 10% lower
relative to before (i.e. 32% instead of 35%). So it does apparently
work more efficiently to some extent, but there is no way that my
server could ever surpass 50% hourly averages when using the batch
processing, so my server's capacity is actually less than half of what
it was with 2.0.6.16. I am absolutely astonished that I haven't seen
anyone comment about this before.
  
What Declude needs to do is not wait for an entire batch to complete.
They should set a maximum thread limit, and then allow us to configure
the number of free threads to wait for before picking up new messages
to process. So instead of waiting 30 seconds for a virus scan to
complete on one message with 40 waiting in the proc folder, it should
start picking up messages as soon as it sees free threads.
  
I also immediately came across a bug with whitelisting. For some
reason WHITELIST IP is now being applied before IPBYPASS, and to
complicate matters, it won't log for JunkMail at LOGLEVEL MID when this
happens. In 2.0.6.16 and before, IPBYPASS was applied before any
processing based on the IP was done. I'm guessing that when they fixed

Re: [Declude.JunkMail] Experience with 4.x

[Matt]

Darrell,

I put up two Windows Explorer windows side-by-side under normal volume 
and the pattern was consistent where the proc folder grows while the 
work folder shrinks until the work folder hits zero at which point the 
proc folder empties out and everything lands in work and then the 
pattern repeats with proc growing while work shrinks.


My settings are as follows:

THREADS50
WAITFORMAIL100
WAITFORTHREADS10
WAITBETWEENTHREADS50
WINSOCKCLEANUPON
AUTOREVIEWON
INVITEFIXON

Matt




Darrell ([EMAIL PROTECTED]) wrote:

It's a faulty design that leaves more than half a server's CPU 
capacity unused due to the mere fact that they wait for all threads 
to complete before moving in a new batch.



I can't speak to what you see on your server, but that is not how it 
is running on my server.  I just double checked again to make sure I 
am not crazy, but as I watch the thread count on my server 
(decludeproc) the threads fluctuate between 7 - 30 ( threads currently 
set to 50).  It is not uncommon to see the threads move as follow: 
11,8,10,7,15,  While I was watching it I never seen a case where 
it went down low enough for the WAITFORMAIL setting to kick in.  
Watching the proc/work directory you can see files moving in and out, 
but never really emptying out.  Its possible what I am seeing is an 
anomaly or maybe I am interpreting it wrong.


Maybe David can comment on this.

Darrell

invURIBL - Intelligent URI filtering plug-in for Declude, mxGuard, and 
ORF. Stop spam at the source the spamvertised domain.  More effective 
than traditional RBL's.  Try it today - http://www.invariantsystems.com

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Experience with 4.x

[Imail Admin]

I'd sure like to see some Declude comments on this discussion.

Ben
BC Web

- Original Message - 
From: Matt [EMAIL PROTECTED]
To: Declude.JunkMail@declude.com
Sent: Monday, May 22, 2006 5:12 PM
Subject: Re: [Declude.JunkMail] Experience with 4.x


 Darrell,

 I put up two Windows Explorer windows side-by-side under normal volume
 and the pattern was consistent where the proc folder grows while the
 work folder shrinks until the work folder hits zero at which point the
 proc folder empties out and everything lands in work and then the
 pattern repeats with proc growing while work shrinks.

 My settings are as follows:

 THREADS50
 WAITFORMAIL100
 WAITFORTHREADS10
 WAITBETWEENTHREADS50
 WINSOCKCLEANUPON
 AUTOREVIEWON
 INVITEFIXON

 Matt




 Darrell ([EMAIL PROTECTED]) wrote:

  It's a faulty design that leaves more than half a server's CPU
  capacity unused due to the mere fact that they wait for all threads
  to complete before moving in a new batch.
 
 
  I can't speak to what you see on your server, but that is not how it
  is running on my server.  I just double checked again to make sure I
  am not crazy, but as I watch the thread count on my server
  (decludeproc) the threads fluctuate between 7 - 30 ( threads currently
  set to 50).  It is not uncommon to see the threads move as follow:
  11,8,10,7,15,  While I was watching it I never seen a case where
  it went down low enough for the WAITFORMAIL setting to kick in.
  Watching the proc/work directory you can see files moving in and out,
  but never really emptying out.  Its possible what I am seeing is an
  anomaly or maybe I am interpreting it wrong.
 
  Maybe David can comment on this.
 
  Darrell
  
  invURIBL - Intelligent URI filtering plug-in for Declude, mxGuard, and
  ORF. Stop spam at the source the spamvertised domain.  More effective
  than traditional RBL's.  Try it today - http://www.invariantsystems.com
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.JunkMail.  The archives can be found
  at http://www.mail-archive.com.
 
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.