Re: [Declude.JunkMail] Global.cfg cleanup
David, Thanks for the info!! I was aware of Hijack but being a long time Declude user, I thought it was still a product that need to be purchased separately. I turned it on and will track how it does. Thanks again, Don - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 2:19 PM Subject: RE: [Declude.JunkMail] Global.cfg cleanup This is exactly why delude Hijack is designed to prevent and resolve. If you have a file hijack.cfg.off in your \declude directory just rename it to hijack.cfg to turn it on. Further information about hijack can be found here. http://www.declude.com/searchresults.asp?Cat=125 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: Tuesday, April 28, 2009 3:18 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, We had a similar situation happen about a week ago. For us, it turned out that one of our clients was infected with a virus/spyware/malware and was sending hundreds of thousands of spam messages. We had WHITELIST AUTH in the global.cfg. Once he authenticated, he was whitelisted. The system just could not keep up with the load. Once we figured out what was happening it took us a while to identify which account it was. I found that with LOGLEVEL MID, there is a line in the DECmmdd.LOG file that has the text [Authenticated:email address]. By searching the file and finding an unusually large volume of them from one user showed me which account to disable. Hope this helps, Don - Original Message - From: nick To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 12:31 PM Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, Are you getting a lot of invalids? In other words maybe too much traffic for some reason. Also are you scanning for virii after junkmail runs? -Nick From: Serge se...@cefib.com Sent: Tuesday, April 28, 2009 1:04 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup first thing i did tested the DNS and looked at declude logs no problem there my cpus were not able to handle the traffic, as simple as that - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 4:00 PM Subject: RE: [Declude.JunkMail] Global.cfg cleanup Serge, have you checked to make sure you not having DNS issues. DNS causes 80% of the issues with delays. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge Sent: Tuesday, April 28, 2009 11:51 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Global.cfg cleanup Importance: High For about a week my server (2xP3xeon 2.8GHz) was beiing saturated by an increase of traffic 100% CPU for hours and ten of thousands of messages in \proc the servers was working fine for several years something had to be done, decided to clean global.cfg, and need help optimizing AVafterJM was on Cleaned global.cfg left only Sniffer, Zerohour, some builtin tests, and a couple of filters the server is now stable, but i need some answers to decide what to do next 1- loglevel and logOK have any effects on CPU ? 2- Any DNS tests that are realy important ? (for now, I removed all) 3- Any of the following external tests / Filters are important, or are they outdated ? TIA #HELOISIP external nonzero E:\imail\filters\heloisip\heloisip.exe 3 0 #HELOISIPX external nonzero E:\imail\filters\heloisip\heloisipx.exe 3 0 #SIZE-S external11CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 100000 #SIZE-M external12CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-100 #SIZE-L external13CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-200 #SIZE-XL external14CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-300 #SPAMCHK external weight E:\spamchk\spamchk.exe #INV-URIBL external weight E:\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP
RE: [Declude.JunkMail] Global.cfg cleanup
I am using a hijack.vbs which I have scheduled every 15 minutes. I thought it came from Declude but if not then I do not recall This is it: folder1 = D:\IMail\spool\spam\hold1\ folder2 = D:\IMail\spool\spam\hold2\ aMail = D:\imail\imail1.exe mFrom = -u 'supp...@domain.com' mTo1 = -t 'recipi...@domain.com' if GetFileCount(folder1) 1 then MailNotice HiJack Folder (Hold 1), GetFileCount(folder1), mTo1 end if if GetFileCount(folder2) 1 then MailNotice HiJack Folder (Hold 2), GetFileCount(folder2), mTo1 end if Function GetFileCount(folderspec) Dim fso, f, f1, fc Set fso = CreateObject(Scripting.FileSystemObject) Set f = fso.GetFolder(folderspec) Set fc = f.Files GetFileCount = fc.count End Function Function MailNotice(fname, fcount, mTo) Dim mCmd, mSubj, WshShell set WshShell = WScript.CreateObject(WScript.Shell) mSubj = -s 'Mail held in the fname : fcount ' mCmd = aMail mFrom mTo mSubj -f placeholder.txt Return = WshShell.Run(mCmd , 1, TRUE) End Function Thank you Harry Vanderzand Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Craig Edmonds Sent: April-29-09 3:33 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Global.cfg cleanup Hi Don, It will save your arse many times over. :o) However, unless you check the hold queue file every 15 minutes, you wont know there is any mail being held. I will tell you how I manage it in case you are interested (had to figure this out myself after clients started saying oh my mail is sent but not reaching its destination!) The following instructions will schedule a vbs script to check your hold2 folder every 30 minutes and if it finds any files, it will email you. That way you will know if there are mails sitting in the queue. You then just login and check the mail , make sure its not spam. I hope its of use to you. (I have been using this script for over 5 years and has never let me down) 1. Create a folder called C:\IMail\spool\imail-alert-tools 2. create a .vbs file in there called something like 30-hold2-file-check.vbs 3. In that new vbs file put the following code filepath=C:\IMAIL\spool\spam\hold2\*.smd emailfrom=postmas...@yourdomain.com emailto=y...@yourdomain.com Set FFunc = CreateObject(FileFunctions.files) if FFunc.Exists(filepath) then FFunc.GetFileList(filepath) TotalFiles = FFunc.Count strBody = strBody There are currently TotalFiles files in the Hold Queue. vbCRLF strBody = strBodyvbCRLF strBody = strBody Date:FormatDateTime(Date, 1) - FormatDateTime(Now, 4) Set myMail=CreateObject(CDO.Message) myMail.Subject=(IMAIL SPAM HOLD Alert) TotalFiles Files in The Hold Queue at FormatDateTime(Now, 4) myMail.From=emailfrom myMail.To=emailto 'myMail.CC=emailto 'myMail.Bcc=emailbcc myMail.TextBody = strBody myMail.Send set myMail=nothing end if 4. go to http://www.xs4all.nl/~jarit/asp/filefunc/easyff.zip and download the easy setup version install the COM on your server. (its free) 5. Create a scheduled task that runs the C:\IMail\spool\imail-alert-tools\30-hold2-file-check.vbs every 30 minutes Voila! Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com http://www.123marbella.com/ E : cr...@123marbella.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: 29 April 2009 09:26 To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup David, Thanks for the info!! I was aware of Hijack but being a long time Declude user, I thought it was still a product that need to be purchased separately. I turned it on and will track how it does. Thanks again, Don - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 2:19 PM Subject: RE: [Declude.JunkMail] Global.cfg cleanup This is exactly why delude Hijack is designed to prevent and resolve. If you have a file hijack.cfg.off in your \declude directory just rename it to hijack.cfg to turn it on. Further information about hijack can be found here. http://www.declude.com/searchresults.asp?Cat=125 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: Tuesday, April 28, 2009 3:18 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, We had a similar situation happen about a week ago. For us, it turned out that one of our clients was infected with a virus/spyware/malware
RE: [Declude.JunkMail] Global.cfg cleanup
Serge, have you checked to make sure you not having DNS issues. DNS causes 80% of the issues with delays. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge Sent: Tuesday, April 28, 2009 11:51 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Global.cfg cleanup Importance: High For about a week my server (2xP3xeon 2.8GHz) was beiing saturated by an increase of traffic 100% CPU for hours and ten of thousands of messages in \proc the servers was working fine for several years something had to be done, decided to clean global.cfg, and need help optimizing AVafterJM was on Cleaned global.cfg left only Sniffer, Zerohour, some builtin tests, and a couple of filters the server is now stable, but i need some answers to decide what to do next 1- loglevel and logOK have any effects on CPU ? 2- Any DNS tests that are realy important ? (for now, I removed all) 3- Any of the following external tests / Filters are important, or are they outdated ? TIA #HELOISIP external nonzero E:\imail\filters\heloisip\heloisip.exe 3 0 #HELOISIPX external nonzero E:\imail\filters\heloisip\heloisipx.exe 3 0 #SIZE-S external11CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 100000 #SIZE-M external12CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-100 #SIZE-L external13CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-200 #SIZE-XL external14CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-300 #SPAMCHK external weight E:\spamchk\spamchk.exe #INV-URIBL external weight E:\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP% 0 0 ## #GIBBERISH filter E:\IMail\Filters\Gibberish.txt x 0 0 #GIBBERISHSUB filter E:\IMail\Filters\GibberishSub.txtx 0 0 #DYNAMIC filter E:\IMail\Filters\Dynamic.txt x -1 0 #SURBLfilter E:\IMail\Filters\Surbl\surbl.txt x 1 0 #OFFENSIVE filter E:\IMail\Filters\offensive.txt x 0 0 ## # Good attribute Checks, KM00 #FALSE-AOL filter E:\Imail\KM00\False_AOL.txt x 0 0 #FALSE-YAHOO filter E:\Imail\KM00\False_Yahoo.txt x 0 0 #FALSE-HOTMAIL filter E:\Imail\KM00\False_Hotmail.txt x 0 0 #FALSE-TELEFONICA filter E:\Imail\KM00\False_telefonica.txt x 0 0 #GOOD-TELEFONICA filter E:\Imail\KM00\good_telefonica.txt x 0 0 #GOOD_HOTMAIL filter E:\Imail\KM00\Good_Hotmail.txt x 0 0 #GOOD_AOL filter E:\Imail\KM00\Good_Aol.txt x 0 0 #GOOD_Yahoo filter E:\Imail\KM00\Good_Yahoo.txt x 0 0 ## #FILTER-BODYURL filter E:\Imail\KM00\IMail_Filter_URLinBody.txt x 0 0 #FILTER-SPAMMER-COMPANY filter E:\Imail\KM00\IMail_Filter_SpammerCompany.txt x 0 0 #FILTER-PORN filter E:\Imail\KM00\IMail_Filter_PornoSite.txt x -2 0 #FILTER-PORNw filter E:\Imail\KM00\IMail_Filter_PornoSite.txt x -5 0 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Global.cfg cleanup
first thing i did tested the DNS and looked at declude logs no problem there my cpus were not able to handle the traffic, as simple as that - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 4:00 PM Subject: RE: [Declude.JunkMail] Global.cfg cleanup Serge, have you checked to make sure you not having DNS issues. DNS causes 80% of the issues with delays. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge Sent: Tuesday, April 28, 2009 11:51 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Global.cfg cleanup Importance: High For about a week my server (2xP3xeon 2.8GHz) was beiing saturated by an increase of traffic 100% CPU for hours and ten of thousands of messages in \proc the servers was working fine for several years something had to be done, decided to clean global.cfg, and need help optimizing AVafterJM was on Cleaned global.cfg left only Sniffer, Zerohour, some builtin tests, and a couple of filters the server is now stable, but i need some answers to decide what to do next 1- loglevel and logOK have any effects on CPU ? 2- Any DNS tests that are realy important ? (for now, I removed all) 3- Any of the following external tests / Filters are important, or are they outdated ? TIA #HELOISIP external nonzero E:\imail\filters\heloisip\heloisip.exe 3 0 #HELOISIPX external nonzero E:\imail\filters\heloisip\heloisipx.exe 3 0 #SIZE-S external11CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 100000 #SIZE-M external12CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-100 #SIZE-L external13CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-200 #SIZE-XL external14CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-300 #SPAMCHK external weight E:\spamchk\spamchk.exe #INV-URIBL external weight E:\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP% 0 0 ## #GIBBERISH filter E:\IMail\Filters\Gibberish.txt x 0 0 #GIBBERISHSUB filter E:\IMail\Filters\GibberishSub.txtx 0 0 #DYNAMIC filter E:\IMail\Filters\Dynamic.txt x -1 0 #SURBLfilter E:\IMail\Filters\Surbl\surbl.txt x 1 0 #OFFENSIVE filter E:\IMail\Filters\offensive.txt x 0 0 ## # Good attribute Checks, KM00 #FALSE-AOL filter E:\Imail\KM00\False_AOL.txt x 0 0 #FALSE-YAHOO filter E:\Imail\KM00\False_Yahoo.txt x 0 0 #FALSE-HOTMAIL filter E:\Imail\KM00\False_Hotmail.txt x 0 0 #FALSE-TELEFONICA filter E:\Imail\KM00\False_telefonica.txt x 0 0 #GOOD-TELEFONICA filter E:\Imail\KM00\good_telefonica.txt x 0 0 #GOOD_HOTMAIL filter E:\Imail\KM00\Good_Hotmail.txt x 0 0 #GOOD_AOL filter E:\Imail\KM00\Good_Aol.txt x 0 0 #GOOD_Yahoo filter E:\Imail\KM00\Good_Yahoo.txt x 0 0 ## #FILTER-BODYURL filter E:\Imail\KM00\IMail_Filter_URLinBody.txt x 0 0 #FILTER-SPAMMER-COMPANY filter E:\Imail\KM00\IMail_Filter_SpammerCompany.txt x 0 0 #FILTER-PORN filter E:\Imail\KM00\IMail_Filter_PornoSite.txt x -2 0 #FILTER-PORNw filter E:\Imail\KM00\IMail_Filter_PornoSite.txt x -5 0 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Global.cfg cleanup
Serge, Are you getting a lot of invalids? In other words maybe too much traffic for some reason. Also are you scanning for virii after junkmail runs? -Nick From: Serge se...@cefib.com Sent: Tuesday, April 28, 2009 1:04 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup first thing i did tested the DNS and looked at declude logs no problem there my cpus were not able to handle the traffic, as simple as that - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 4:00 PM Subject: RE: [Declude.JunkMail] Global.cfg cleanup Serge, have you checked to make sure you not having DNS issues. DNS causes 80% of the issues with delays. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge Sent: Tuesday, April 28, 2009 11:51 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Global.cfg cleanup Importance: High For about a week my server (2xP3xeon 2.8GHz) was beiing saturated by an increase of traffic 100% CPU for hours and ten of thousands of messages in \proc the servers was working fine for several years something had to be done, decided to clean global.cfg, and need help optimizing AVafterJM was on Cleaned global.cfg left only Sniffer, Zerohour, some builtin tests, and a couple of filters the server is now stable, but i need some answers to decide what to do next 1- loglevel and logOK have any effects on CPU ? 2- Any DNS tests that are realy important ? (for now, I removed all) 3- Any of the following external tests / Filters are important, or are they outdated ? TIA #HELOISIP external nonzero E:\imail\filters\heloisip\heloisip.exe 3 0 #HELOISIPX external nonzero E:\imail\filters\heloisip\heloisipx.exe 3 0 #SIZE-S external11CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 100000 #SIZE-M external12CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-100 #SIZE-L external13CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-200 #SIZE-XL external14CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-300 #SPAMCHK external weight E:\spamchk\spamchk.exe #INV-URIBL external weight E:\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP% 0 0 ## #GIBBERISH filter E:\IMail\Filters\Gibberish.txt x 0 0 #GIBBERISHSUB filter E:\IMail\Filters\GibberishSub.txt x 0 0 #DYNAMIC filter E:\IMail\Filters\Dynamic.txt x -1 0 #SURBLfilter E:\IMail\Filters\Surbl\surbl.txt x 1 0 #OFFENSIVE filter E:\IMail\Filters\offensive.txt x 0 0 ## # Good attribute Checks, KM00 #FALSE-AOL filter E:\Imail\KM00\False_AOL.txt x 0 0 #FALSE-YAHOO filter E:\Imail\KM00\False_Yahoo.txt x 0 0 #FALSE-HOTMAIL filter E:\Imail\KM00\False_Hotmail.txt x 0 0 #FALSE-TELEFONICA filter E:\Imail\KM00\False_telefonica.txt x 0 0 #GOOD-TELEFONICA filter E:\Imail\KM00\good_telefonica.txt x 0 0 #GOOD_HOTMAIL filter E:\Imail\KM00\Good_Hotmail.txt x 0 0 #GOOD_AOL filter E:\Imail\KM00\Good_Aol.txt x 0 0 #GOOD_Yahoo filter E:\Imail\KM00\Good_Yahoo.txt x 0 0 ## #FILTER-BODYURL filter E:\Imail\KM00\IMail_Filter_URLinBody.txt x 0 0 #FILTER-SPAMMER-COMPANY filter E:\Imail\KM00\IMail_Filter_SpammerCompany.txt x 0 0 #FILTER-PORN filter E:\Imail\KM00\IMail_Filter_PornoSite.txt x -2 0 #FILTER-PORNw filter E:\Imail\KM00\IMail_Filter_PornoSite.txt x -5 0 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail
Re: [Declude.JunkMail] Global.cfg cleanup
Serge, We had a similar situation happen about a week ago. For us, it turned out that one of our clients was infected with a virus/spyware/malware and was sending hundreds of thousands of spam messages. We had WHITELIST AUTH in the global.cfg. Once he authenticated, he was whitelisted. The system just could not keep up with the load. Once we figured out what was happening it took us a while to identify which account it was. I found that with LOGLEVEL MID, there is a line in the DECmmdd.LOG file that has the text [Authenticated:email address]. By searching the file and finding an unusually large volume of them from one user showed me which account to disable. Hope this helps, Don - Original Message - From: nick To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 12:31 PM Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, Are you getting a lot of invalids? In other words maybe too much traffic for some reason. Also are you scanning for virii after junkmail runs? -Nick -- From: Serge se...@cefib.com Sent: Tuesday, April 28, 2009 1:04 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup first thing i did tested the DNS and looked at declude logs no problem there my cpus were not able to handle the traffic, as simple as that - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 4:00 PM Subject: RE: [Declude.JunkMail] Global.cfg cleanup Serge, have you checked to make sure you not having DNS issues. DNS causes 80% of the issues with delays. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge Sent: Tuesday, April 28, 2009 11:51 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Global.cfg cleanup Importance: High For about a week my server (2xP3xeon 2.8GHz) was beiing saturated by an increase of traffic 100% CPU for hours and ten of thousands of messages in \proc the servers was working fine for several years something had to be done, decided to clean global.cfg, and need help optimizing AVafterJM was on Cleaned global.cfg left only Sniffer, Zerohour, some builtin tests, and a couple of filters the server is now stable, but i need some answers to decide what to do next 1- loglevel and logOK have any effects on CPU ? 2- Any DNS tests that are realy important ? (for now, I removed all) 3- Any of the following external tests / Filters are important, or are they outdated ? TIA #HELOISIP external nonzero E:\imail\filters\heloisip\heloisip.exe 3 0 #HELOISIPX external nonzero E:\imail\filters\heloisip\heloisipx.exe 3 0 #SIZE-S external11CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 100000 #SIZE-M external12CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-100 #SIZE-L external13CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-200 #SIZE-XL external14CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-300 #SPAMCHK external weight E:\spamchk\spamchk.exe #INV-URIBL external weight E:\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP% 0 0 ## #GIBBERISH filter E:\IMail\Filters\Gibberish.txt x 0 0 #GIBBERISHSUB filter E:\IMail\Filters\GibberishSub.txtx 0 0 #DYNAMIC filter E:\IMail\Filters\Dynamic.txt x -1 0 #SURBLfilter E:\IMail\Filters\Surbl\surbl.txt x 1 0 #OFFENSIVE filter E:\IMail\Filters\offensive.txt x 0 0 ## # Good attribute Checks, KM00 #FALSE-AOL filter E:\Imail\KM00\False_AOL.txt x 0 0 #FALSE-YAHOO filter E:\Imail\KM00\False_Yahoo.txt x 0 0 #FALSE-HOTMAIL filter E:\Imail\KM00\False_Hotmail.txt x 0 0 #FALSE-TELEFONICA filter E:\Imail\KM00\False_telefonica.txt x 0 0 #GOOD-TELEFONICA filter E:\Imail\KM00\good_telefonica.txt x 0 0 #GOOD_HOTMAIL filter E:\Imail\KM00\Good_Hotmail.txt x 0 0 #GOOD_AOL filter E:\Imail\KM00\Good_Aol.txt x 0 0 #GOOD_Yahoo filter E:\Imail\KM00\Good_Yahoo.txt x 0 0 ## #FILTER-BODYURL filter E:\Imail\KM00\IMail_Filter_URLinBody.txt x 0
RE: [Declude.JunkMail] Global.cfg cleanup
This is exactly why delude Hijack is designed to prevent and resolve. If you have a file hijack.cfg.off in your \declude directory just rename it to hijack.cfg to turn it on. Further information about hijack can be found here. http://www.declude.com/searchresults.asp?Cat=125 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: Tuesday, April 28, 2009 3:18 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, We had a similar situation happen about a week ago. For us, it turned out that one of our clients was infected with a virus/spyware/malware and was sending hundreds of thousands of spam messages. We had WHITELIST AUTH in the global.cfg. Once he authenticated, he was whitelisted. The system just could not keep up with the load. Once we figured out what was happening it took us a while to identify which account it was. I found that with LOGLEVEL MID, there is a line in the DECmmdd.LOG file that has the text [Authenticated:email address]. By searching the file and finding an unusually large volume of them from one user showed me which account to disable. Hope this helps, Don - Original Message - From: nick mailto:n...@madriveraccess.com To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 12:31 PM Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, Are you getting a lot of invalids? In other words maybe too much traffic for some reason. Also are you scanning for virii after junkmail runs? -Nick _ From: Serge se...@cefib.com Sent: Tuesday, April 28, 2009 1:04 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup first thing i did tested the DNS and looked at declude logs no problem there my cpus were not able to handle the traffic, as simple as that - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 4:00 PM Subject: RE: [Declude.JunkMail] Global.cfg cleanup Serge, have you checked to make sure you not having DNS issues. DNS causes 80% of the issues with delays. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge Sent: Tuesday, April 28, 2009 11:51 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Global.cfg cleanup Importance: High For about a week my server (2xP3xeon 2.8GHz) was beiing saturated by an increase of traffic 100% CPU for hours and ten of thousands of messages in \proc the servers was working fine for several years something had to be done, decided to clean global.cfg, and need help optimizing AVafterJM was on Cleaned global.cfg left only Sniffer, Zerohour, some builtin tests, and a couple of filters the server is now stable, but i need some answers to decide what to do next 1- loglevel and logOK have any effects on CPU ? 2- Any DNS tests that are realy important ? (for now, I removed all) 3- Any of the following external tests / Filters are important, or are they outdated ? TIA #HELOISIP external nonzero E:\imail\filters\heloisip\heloisip.exe 3 0 #HELOISIPX external nonzero E:\imail\filters\heloisip\heloisipx.exe 3 0 #SIZE-S external11CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 100000 #SIZE-M external12CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-100 #SIZE-L external13CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-200 #SIZE-XL external14CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-300 #SPAMCHK external weight E:\spamchk\spamchk.exe #INV-URIBL external weight E:\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP% 0 0 ## #GIBBERISH filter E:\IMail\Filters\Gibberish.txt x 0 0 #GIBBERISHSUB filter E:\IMail\Filters\GibberishSub.txtx 0 0 #DYNAMIC filter E:\IMail\Filters\Dynamic.txt x -1 0 #SURBLfilter E:\IMail\Filters\Surbl\surbl.txt x 1 0 #OFFENSIVE filter E:\IMail\Filters\offensive.txt x 0 0 ## # Good attribute Checks, KM00 #FALSE-AOL filter E:\Imail\KM00\False_AOL.txt x 0 0 #FALSE-YAHOO filter E:\Imail\KM00\False_Yahoo.txt x 0 0 #FALSE-HOTMAIL filter E:\Imail\KM00\False_Hotmail.txt x 0 0 #FALSE-TELEFONICA filter E:\Imail\KM00
RE: [Declude.JunkMail] Global.cfg cleanup
Ever since we implement the hijack features of the suite we have caught these kinds of infections. Any one of our clients sending more than x amount of e-mails has them trapped for our review. This has saved us 5 times in the last year Thank you Harry Vanderzand Intown Internet 117 Ruskview Road Kitchener, ON, N2M 4S1 519-741-1222 From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: April-28-09 3:18 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, We had a similar situation happen about a week ago. For us, it turned out that one of our clients was infected with a virus/spyware/malware and was sending hundreds of thousands of spam messages. We had WHITELIST AUTH in the global.cfg. Once he authenticated, he was whitelisted. The system just could not keep up with the load. Once we figured out what was happening it took us a while to identify which account it was. I found that with LOGLEVEL MID, there is a line in the DECmmdd.LOG file that has the text [Authenticated:email address]. By searching the file and finding an unusually large volume of them from one user showed me which account to disable. Hope this helps, Don - Original Message - From: nick mailto:n...@madriveraccess.com To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 12:31 PM Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, Are you getting a lot of invalids? In other words maybe too much traffic for some reason. Also are you scanning for virii after junkmail runs? -Nick _ From: Serge se...@cefib.com Sent: Tuesday, April 28, 2009 1:04 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup first thing i did tested the DNS and looked at declude logs no problem there my cpus were not able to handle the traffic, as simple as that - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 4:00 PM Subject: RE: [Declude.JunkMail] Global.cfg cleanup Serge, have you checked to make sure you not having DNS issues. DNS causes 80% of the issues with delays. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge Sent: Tuesday, April 28, 2009 11:51 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Global.cfg cleanup Importance: High For about a week my server (2xP3xeon 2.8GHz) was beiing saturated by an increase of traffic 100% CPU for hours and ten of thousands of messages in \proc the servers was working fine for several years something had to be done, decided to clean global.cfg, and need help optimizing AVafterJM was on Cleaned global.cfg left only Sniffer, Zerohour, some builtin tests, and a couple of filters the server is now stable, but i need some answers to decide what to do next 1- loglevel and logOK have any effects on CPU ? 2- Any DNS tests that are realy important ? (for now, I removed all) 3- Any of the following external tests / Filters are important, or are they outdated ? TIA #HELOISIP external nonzero E:\imail\filters\heloisip\heloisip.exe 3 0 #HELOISIPX external nonzero E:\imail\filters\heloisip\heloisipx.exe 3 0 #SIZE-S external11CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 100000 #SIZE-M external12CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-100 #SIZE-L external13CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-200 #SIZE-XL external14CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-300 #SPAMCHK external weight E:\spamchk\spamchk.exe #INV-URIBL external weight E:\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP% 0 0 ## #GIBBERISH filter E:\IMail\Filters\Gibberish.txt x 0 0 #GIBBERISHSUB filter E:\IMail\Filters\GibberishSub.txtx 0 0 #DYNAMIC filter E:\IMail\Filters\Dynamic.txt x -1 0 #SURBLfilter E:\IMail\Filters\Surbl\surbl.txt x 1 0 #OFFENSIVE filter E:\IMail\Filters\offensive.txt x 0 0 ## # Good attribute Checks, KM00 #FALSE-AOL filter E:\Imail\KM00\False_AOL.txt x 0 0 #FALSE-YAHOO filter E:\Imail\KM00\False_Yahoo.txt x 0 0 #FALSE-HOTMAIL filter E:\Imail\KM00\False_Hotmail.txt x 0 0 #FALSE-TELEFONICA filter E:\Imail\KM00\False_telefonica.txt x 0 0 #GOOD-TELEFONICA filter E:\Imail\KM00
Re: [Declude.JunkMail] Global.cfg cleanup
not sure what you mean by invalid i did specify that we have avafterjm on - Original Message - From: nick To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 5:31 PM Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, Are you getting a lot of invalids? In other words maybe too much traffic for some reason. Also are you scanning for virii after junkmail runs? -Nick -- From: Serge se...@cefib.com Sent: Tuesday, April 28, 2009 1:04 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup first thing i did tested the DNS and looked at declude logs no problem there my cpus were not able to handle the traffic, as simple as that - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 4:00 PM Subject: RE: [Declude.JunkMail] Global.cfg cleanup Serge, have you checked to make sure you not having DNS issues. DNS causes 80% of the issues with delays. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge Sent: Tuesday, April 28, 2009 11:51 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Global.cfg cleanup Importance: High For about a week my server (2xP3xeon 2.8GHz) was beiing saturated by an increase of traffic 100% CPU for hours and ten of thousands of messages in \proc the servers was working fine for several years something had to be done, decided to clean global.cfg, and need help optimizing AVafterJM was on Cleaned global.cfg left only Sniffer, Zerohour, some builtin tests, and a couple of filters the server is now stable, but i need some answers to decide what to do next 1- loglevel and logOK have any effects on CPU ? 2- Any DNS tests that are realy important ? (for now, I removed all) 3- Any of the following external tests / Filters are important, or are they outdated ? TIA #HELOISIP external nonzero E:\imail\filters\heloisip\heloisip.exe 3 0 #HELOISIPX external nonzero E:\imail\filters\heloisip\heloisipx.exe 3 0 #SIZE-S external11CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 100000 #SIZE-M external12CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-100 #SIZE-L external13CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-200 #SIZE-XL external14CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-300 #SPAMCHK external weight E:\spamchk\spamchk.exe #INV-URIBL external weight E:\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP% 0 0 ## #GIBBERISH filter E:\IMail\Filters\Gibberish.txt x 0 0 #GIBBERISHSUB filter E:\IMail\Filters\GibberishSub.txtx 0 0 #DYNAMIC filter E:\IMail\Filters\Dynamic.txt x -1 0 #SURBLfilter E:\IMail\Filters\Surbl\surbl.txt x 1 0 #OFFENSIVE filter E:\IMail\Filters\offensive.txt x 0 0 ## # Good attribute Checks, KM00 #FALSE-AOL filter E:\Imail\KM00\False_AOL.txt x 0 0 #FALSE-YAHOO filter E:\Imail\KM00\False_Yahoo.txt x 0 0 #FALSE-HOTMAIL filter E:\Imail\KM00\False_Hotmail.txt x 0 0 #FALSE-TELEFONICA filter E:\Imail\KM00\False_telefonica.txt x 0 0 #GOOD-TELEFONICA filter E:\Imail\KM00\good_telefonica.txt x 0 0 #GOOD_HOTMAIL filter E:\Imail\KM00\Good_Hotmail.txt x 0 0 #GOOD_AOL filter E:\Imail\KM00\Good_Aol.txt x 0 0 #GOOD_Yahoo filter E:\Imail\KM00\Good_Yahoo.txt x 0 0 ## #FILTER-BODYURL filter E:\Imail\KM00\IMail_Filter_URLinBody.txt x 0 0 #FILTER-SPAMMER-COMPANY filter E:\Imail\KM00\IMail_Filter_SpammerCompany.txt x 0 0 #FILTER-PORN filter E:\Imail\KM00\IMail_Filter_PornoSite.txt x -2 0 #FILTER-PORNw filter E:\Imail\KM00\IMail_Filter_PornoSite.txt x -5 0 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com
Re: [Declude.JunkMail] Global.cfg cleanup
we have hijack installed however, for years we have been asking that hijack be improved to differently handle authenticated users we also need to be able to override the limits by IP something like Default limit by ip x,y IP1x1,y1 IP2 (or subnet) x2,y2 authenticated users default: a,b user1 a1,b1 user2 a2, b2 . . . We have large clents with dozens of users behiind a single ip we cannot use the same limits as for a home user David, Please provide feedback on the above - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 7:19 PM Subject: RE: [Declude.JunkMail] Global.cfg cleanup This is exactly why delude Hijack is designed to prevent and resolve. If you have a file hijack.cfg.off in your \declude directory just rename it to hijack.cfg to turn it on. Further information about hijack can be found here. http://www.declude.com/searchresults.asp?Cat=125 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: Tuesday, April 28, 2009 3:18 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, We had a similar situation happen about a week ago. For us, it turned out that one of our clients was infected with a virus/spyware/malware and was sending hundreds of thousands of spam messages. We had WHITELIST AUTH in the global.cfg. Once he authenticated, he was whitelisted. The system just could not keep up with the load. Once we figured out what was happening it took us a while to identify which account it was. I found that with LOGLEVEL MID, there is a line in the DECmmdd.LOG file that has the text [Authenticated:email address]. By searching the file and finding an unusually large volume of them from one user showed me which account to disable. Hope this helps, Don - Original Message - From: nick To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 12:31 PM Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, Are you getting a lot of invalids? In other words maybe too much traffic for some reason. Also are you scanning for virii after junkmail runs? -Nick From: Serge se...@cefib.com Sent: Tuesday, April 28, 2009 1:04 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup first thing i did tested the DNS and looked at declude logs no problem there my cpus were not able to handle the traffic, as simple as that - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 4:00 PM Subject: RE: [Declude.JunkMail] Global.cfg cleanup Serge, have you checked to make sure you not having DNS issues. DNS causes 80% of the issues with delays. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge Sent: Tuesday, April 28, 2009 11:51 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Global.cfg cleanup Importance: High For about a week my server (2xP3xeon 2.8GHz) was beiing saturated by an increase of traffic 100% CPU for hours and ten of thousands of messages in \proc the servers was working fine for several years something had to be done, decided to clean global.cfg, and need help optimizing AVafterJM was on Cleaned global.cfg left only Sniffer, Zerohour, some builtin tests, and a couple of filters the server is now stable, but i need some answers to decide what to do next 1- loglevel and logOK have any effects on CPU ? 2- Any DNS tests that are realy important ? (for now, I removed all) 3- Any of the following external tests / Filters are important, or are they outdated ? TIA #HELOISIP external nonzero E:\imail\filters\heloisip\heloisip.exe 3 0 #HELOISIPX external nonzero E:\imail\filters\heloisip\heloisipx.exe 3 0 #SIZE-S external11CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 100000 #SIZE-M external12CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-100 #SIZE-L external13CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000
Re: [Declude.JunkMail] Global.cfg cleanup
hi we have a script that runs daily to find the number of messages sent per user (the authenticated account, not the from user), and emails me the top 10 senders so that is not the issue here we also have a script that find the number of messages sent per IP, and though we found some wireless CPEs sending mail continuously, (which was agravating the pb), the problem continued even after we fixed these cpes So i am quite sure the mails are inbound (not sent by authenticated user), and not more then a few are sent from the same ip adress - Original Message - From: decl...@mail.net1media.com To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 7:18 PM Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, We had a similar situation happen about a week ago. For us, it turned out that one of our clients was infected with a virus/spyware/malware and was sending hundreds of thousands of spam messages. We had WHITELIST AUTH in the global.cfg. Once he authenticated, he was whitelisted. The system just could not keep up with the load. Once we figured out what was happening it took us a while to identify which account it was. I found that with LOGLEVEL MID, there is a line in the DECmmdd.LOG file that has the text [Authenticated:email address]. By searching the file and finding an unusually large volume of them from one user showed me which account to disable. Hope this helps, Don - Original Message - From: nick To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 12:31 PM Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, Are you getting a lot of invalids? In other words maybe too much traffic for some reason. Also are you scanning for virii after junkmail runs? -Nick From: Serge se...@cefib.com Sent: Tuesday, April 28, 2009 1:04 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup first thing i did tested the DNS and looked at declude logs no problem there my cpus were not able to handle the traffic, as simple as that - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 4:00 PM Subject: RE: [Declude.JunkMail] Global.cfg cleanup Serge, have you checked to make sure you not having DNS issues. DNS causes 80% of the issues with delays. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge Sent: Tuesday, April 28, 2009 11:51 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Global.cfg cleanup Importance: High For about a week my server (2xP3xeon 2.8GHz) was beiing saturated by an increase of traffic 100% CPU for hours and ten of thousands of messages in \proc the servers was working fine for several years something had to be done, decided to clean global.cfg, and need help optimizing AVafterJM was on Cleaned global.cfg left only Sniffer, Zerohour, some builtin tests, and a couple of filters the server is now stable, but i need some answers to decide what to do next 1- loglevel and logOK have any effects on CPU ? 2- Any DNS tests that are realy important ? (for now, I removed all) 3- Any of the following external tests / Filters are important, or are they outdated ? TIA #HELOISIP external nonzero E:\imail\filters\heloisip\heloisip.exe 3 0 #HELOISIPX external nonzero E:\imail\filters\heloisip\heloisipx.exe 3 0 #SIZE-S external11CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 100000 #SIZE-M external12CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-100 #SIZE-L external13CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-200 #SIZE-XL external14CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-300 #SPAMCHK external weight E:\spamchk\spamchk.exe #INV-URIBL external weight E:\INVURIBL\INVURIBL.exe %WEIGHT% %REMOTEIP% 0 0 ## #GIBBERISH filter E:\IMail\Filters\Gibberish.txt x 0 0 #GIBBERISHSUB filter E:\IMail\Filters\GibberishSub.txtx 0 0 #DYNAMIC filter E:\IMail\Filters\Dynamic.txt x -1 0 #SURBLfilter E:\IMail\Filters\Surbl\surbl.txt x 1 0 #OFFENSIVE
RE: [Declude.JunkMail] Global.cfg cleanup
I will look at revisiting this issue of additional functionality for hijack. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge Sent: Tuesday, April 28, 2009 4:14 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup we have hijack installed however, for years we have been asking that hijack be improved to differently handle authenticated users we also need to be able to override the limits by IP something like Default limit by ip x,y IP1x1,y1 IP2 (or subnet) x2,y2 authenticated users default: a,b user1 a1,b1 user2 a2, b2 . . . We have large clents with dozens of users behiind a single ip we cannot use the same limits as for a home user David, Please provide feedback on the above - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 7:19 PM Subject: RE: [Declude.JunkMail] Global.cfg cleanup This is exactly why delude Hijack is designed to prevent and resolve. If you have a file hijack.cfg.off in your \declude directory just rename it to hijack.cfg to turn it on. Further information about hijack can be found here. http://www.declude.com/searchresults.asp?Cat=125 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: Tuesday, April 28, 2009 3:18 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, We had a similar situation happen about a week ago. For us, it turned out that one of our clients was infected with a virus/spyware/malware and was sending hundreds of thousands of spam messages. We had WHITELIST AUTH in the global.cfg. Once he authenticated, he was whitelisted. The system just could not keep up with the load. Once we figured out what was happening it took us a while to identify which account it was. I found that with LOGLEVEL MID, there is a line in the DECmmdd.LOG file that has the text [Authenticated:email address]. By searching the file and finding an unusually large volume of them from one user showed me which account to disable. Hope this helps, Don - Original Message - From: nick mailto:n...@madriveraccess.com To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 12:31 PM Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, Are you getting a lot of invalids? In other words maybe too much traffic for some reason. Also are you scanning for virii after junkmail runs? -Nick _ From: Serge se...@cefib.com Sent: Tuesday, April 28, 2009 1:04 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup first thing i did tested the DNS and looked at declude logs no problem there my cpus were not able to handle the traffic, as simple as that - Original Message - From: David Barker mailto:dbar...@declude.com To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 4:00 PM Subject: RE: [Declude.JunkMail] Global.cfg cleanup Serge, have you checked to make sure you not having DNS issues. DNS causes 80% of the issues with delays. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax mailto:dbar...@declude.com dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge Sent: Tuesday, April 28, 2009 11:51 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Global.cfg cleanup Importance: High For about a week my server (2xP3xeon 2.8GHz) was beiing saturated by an increase of traffic 100% CPU for hours and ten of thousands of messages in \proc the servers was working fine for several years something had to be done, decided to clean global.cfg, and need help optimizing AVafterJM was on Cleaned global.cfg left only Sniffer, Zerohour, some builtin tests, and a couple of filters the server is now stable, but i need some answers to decide what to do next 1- loglevel and logOK have any effects on CPU ? 2- Any DNS tests that are realy important ? (for now, I removed all) 3- Any of the following external tests / Filters are important, or are they outdated ? TIA #HELOISIP external nonzero E:\imail\filters\heloisip\heloisip.exe 3 0 #HELOISIPX external nonzero E:\imail\filters\heloisip\heloisipx.exe 3 0 #SIZE-S external11CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 100000 #SIZE-M external12CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-100 #SIZE-L external13CScript E:\IMail\Filters\Size.vbs //B //NoLogo //T:2 50,75,100 %WEIGHT% 1000-200 #SIZE-XL external14CScript E:\IMail\Filters
Re: [Declude.JunkMail] Global.cfg cleanup
thanks David also for global.cfg, please consider include directives that will facilitate testing/optimization for example, to put the dns tests, or the sorbs or the ahbl tests in seperate files, and just an include instruction in the main global.cfg will make it more readable and easier to modify/optimize what you think ? - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 8:31 PM Subject: RE: [Declude.JunkMail] Global.cfg cleanup I will look at revisiting this issue of additional functionality for hijack. From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge Sent: Tuesday, April 28, 2009 4:14 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup we have hijack installed however, for years we have been asking that hijack be improved to differently handle authenticated users we also need to be able to override the limits by IP something like Default limit by ip x,y IP1x1,y1 IP2 (or subnet) x2,y2 authenticated users default: a,b user1 a1,b1 user2 a2, b2 . . . We have large clents with dozens of users behiind a single ip we cannot use the same limits as for a home user David, Please provide feedback on the above - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 7:19 PM Subject: RE: [Declude.JunkMail] Global.cfg cleanup This is exactly why delude Hijack is designed to prevent and resolve. If you have a file hijack.cfg.off in your \declude directory just rename it to hijack.cfg to turn it on. Further information about hijack can be found here. http://www.declude.com/searchresults.asp?Cat=125 David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of decl...@mail.net1media.com Sent: Tuesday, April 28, 2009 3:18 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, We had a similar situation happen about a week ago. For us, it turned out that one of our clients was infected with a virus/spyware/malware and was sending hundreds of thousands of spam messages. We had WHITELIST AUTH in the global.cfg. Once he authenticated, he was whitelisted. The system just could not keep up with the load. Once we figured out what was happening it took us a while to identify which account it was. I found that with LOGLEVEL MID, there is a line in the DECmmdd.LOG file that has the text [Authenticated:email address]. By searching the file and finding an unusually large volume of them from one user showed me which account to disable. Hope this helps, Don - Original Message - From: nick To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 12:31 PM Subject: Re: [Declude.JunkMail] Global.cfg cleanup Serge, Are you getting a lot of invalids? In other words maybe too much traffic for some reason. Also are you scanning for virii after junkmail runs? -Nick -- From: Serge se...@cefib.com Sent: Tuesday, April 28, 2009 1:04 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Global.cfg cleanup first thing i did tested the DNS and looked at declude logs no problem there my cpus were not able to handle the traffic, as simple as that - Original Message - From: David Barker To: declude.junkmail@declude.com Sent: Tuesday, April 28, 2009 4:00 PM Subject: RE: [Declude.JunkMail] Global.cfg cleanup Serge, have you checked to make sure you not having DNS issues. DNS causes 80% of the issues with delays. David Barker VP Operations Declude Your Email security is our business 978.499.2933 office 978.988.1311 fax dbar...@declude.com From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Serge Sent: Tuesday, April 28, 2009 11:51 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Global.cfg cleanup Importance: High For about a week my server (2xP3xeon 2.8GHz) was beiing saturated by an increase of traffic 100% CPU for hours and ten of thousands of messages in \proc the servers was working fine for several years something had to be done, decided to clean global.cfg