[sniffer] Re: IP Change on rulebase delivery system
Looks like I have this issue again (pegging 4 core cpu) and resetting the process doesn't make a difference. Not sure what is causing it but it does slow down spam detection to 40-50 seconds for many emails. Any ideas what I can look at or do to resolve this? On Fri, Mar 29, 2013 at 12:27 PM, Pete McNeil madscient...@armresearch.comwrote: On 2013-03-29 12:59, Richard Stupek wrote: well when all else fails restarting snf seems to have corrected the issue for now. In that case, it is likely that RAM fragmentation was involved. Dropping the process allowed the fragmentation to be cleared. (theory). Best, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller ##**##**# This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-digest@sortmonster.**comsniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com** Send administrative queries to sniffer-request@sortmonster.**comsniffer-requ...@sortmonster.com
[sniffer] Re: IP Change on rulebase delivery system
I've been blocking subnets to the mail server manually for the past 10 days or so. Scan the logs and look at common IP sources for spam. PITA but I've got it under control. One of the earlier schemes I noticed was from .pw and .in top level domains. What I'm seeing now are messages coming from assorted domains but from a common subnet and hosting company - some US based. I've had mail queued up for 20-30 mins before delivery before adding some firewall rules. My mail server is an i5 running Windows Server. -- Original Message -- From: Richard Stupek rstu...@gmail.com Reply-To: Message Sniffer Community sniffer@sortmonster.com Date: Thu, 23 May 2013 14:22:59 -0500 Looks like I have this issue again (pegging 4 core cpu) and resetting the process doesn't make a difference. Not sure what is causing it but it does slow down spam detection to 40-50 seconds for many emails. Any ideas what I can look at or do to resolve this? On Fri, Mar 29, 2013 at 12:27 PM, Pete McNeil madscient...@armresearch.comwrote: On 2013-03-29 12:59, Richard Stupek wrote: well when all else fails restarting snf seems to have corrected the issue for now. In that case, it is likely that RAM fragmentation was involved. Dropping the process allowed the fragmentation to be cleared. (theory). Best, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller ##**##**# This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-digest@sortmonster.**comsniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com** Send administrative queries to sniffer-request@sortmonster.**comsniffer-requ...@sortmonster.com -- Thanks, Greg AllureTech/CoffeyNet www.atwy.net 1546 E Burlington Ave Casper, WY 82601 307.473.2323 -- # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: IP Change on rulebase delivery system
On 2013-05-23 15:22, Richard Stupek wrote: Looks like I have this issue again (pegging 4 core cpu) and resetting the process doesn't make a difference. Not sure what is causing it but it does slow down spam detection to 40-50 seconds for many emails. Any ideas what I can look at or do to resolve this? Check the message sizes. As part of the newest spam storms we've noticed that a lot of the messages are huge (65536++). I suspect this might impact throughput as large buffers are allocated and moved around to handle these messages. This kind of thing has also been known to cause NTFS to crawl. Please let us know what you find. If you are not already doing it -- you should consider blocking connections using the truncate blacklist. No sense taking on some of these messages if they can be eliminated up front. _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: IP Change on rulebase delivery system
Can you point me at the documentation for the truncate blacklist and its usage? On Thu, May 23, 2013 at 3:36 PM, Pete McNeil madscient...@armresearch.comwrote: On 2013-05-23 15:22, Richard Stupek wrote: Looks like I have this issue again (pegging 4 core cpu) and resetting the process doesn't make a difference. Not sure what is causing it but it does slow down spam detection to 40-50 seconds for many emails. Any ideas what I can look at or do to resolve this? Check the message sizes. As part of the newest spam storms we've noticed that a lot of the messages are huge (65536++). I suspect this might impact throughput as large buffers are allocated and moved around to handle these messages. This kind of thing has also been known to cause NTFS to crawl. Please let us know what you find. If you are not already doing it -- you should consider blocking connections using the truncate blacklist. No sense taking on some of these messages if they can be eliminated up front. _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller ##**##**# This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-digest@sortmonster.**comsniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com** Send administrative queries to sniffer-request@sortmonster.**comsniffer-requ...@sortmonster.com
[sniffer] Re: IP Change on rulebase delivery system
On 2013-05-23 16:41, Richard Stupek wrote: Can you point me at the documentation for the truncate blacklist and its usage? http://gbudb.com/truncate/index.jsp It's an ordinary ip4 dnsbl. Most email systems have some mechanism for blocking connections based on this kind of blacklist. Hope this helps, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: IP Change on rulebase delivery system
Would this: http://armresearch.com/support/articles/software/snfServer/xci/gbudb.jsp yield the same results as using the ip4 blocklist? On Thu, May 23, 2013 at 4:11 PM, Pete McNeil madscient...@armresearch.comwrote: On 2013-05-23 16:41, Richard Stupek wrote: Can you point me at the documentation for the truncate blacklist and its usage? http://gbudb.com/truncate/**index.jsphttp://gbudb.com/truncate/index.jsp It's an ordinary ip4 dnsbl. Most email systems have some mechanism for blocking connections based on this kind of blacklist. Hope this helps, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller ##**##**# This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-digest@sortmonster.**comsniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com** Send administrative queries to sniffer-request@sortmonster.**comsniffer-requ...@sortmonster.com
[sniffer] Re: IP Change on rulebase delivery system
On 2013-05-23 17:21, Richard Stupek wrote: Would this: http://armresearch.com/support/articles/software/snfServer/xci/gbudb.jsp yield the same results as using the ip4 blocklist? No. Asking your local GBUdb about an IP will only give you a local perspective. The truncate blacklist contains the currently active worst-of-the-worst as seen by all SNF nodes working together. Also -- getting your MTA to pay attention to your local GBUdb is nontrivial since no MTA software (that I know of) can speak XCI yet. _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com