RE: [Declude.JunkMail] Declude Processes Server Load
I see the same (with a very small domain and very light usage). The mail server is nowhere near the strongest, but is sometmies stressed with 1.70 (and was the same with 1.69b) but not 1.65. My recommendation for those that are experiencing this is to try adding a line DECODE OFF to the \IMail\Declude\global.cfg file, and see if this takes care of the problem. There were some base64 and HTML decoding functions added since 1.65, which use more CPU time than most Declude JunkMail functionality. They can be disabled with the DECODE OFF line. I'm also going to investigate the changes to the ip4r tests, to see if that may be the root of the problem. It *shouldn't* be, but then again there isn't anything in Declude JunkMail that *should* cause 100% CPU usage. :) -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Request for new/enhanced feature
I keep getting mail that slipps through that IMO shouldn't be that hard to catch really... They use a variant of the html comments but the way they do it it don't get detected as a mail with to many html comments. Below is a snippet of example text inside the html formated e-mail : Pk73ch7b1tddyenkqjezab3w79ejis Enkpv36t91gfs2largktwn2sd3kn7tqemek63uv4i3njxxcnt Pikxl9qjl2r3ervkll On The Mak9jgo17u5v244rkekth2amv3m1st!/font/font/font/bfont face=Arial,Helvetica/font pfont face=Arial,Helvetica* Gksfvuh135aju042aikndkb4w1ppwy192n 3kbq72kb2dv2xsd2+ Full Inkn46ft9yw8pchkwhb2wy27wls3es In Lengka4vte11x26Lengka4vte11x26wth/font brfont face=Arial,Helvetica* Exkcay5sz12le0pand Your Pekt70s753udaio49nis Up To 20kh3tfh82ejp1% Basically remove the x junk and you get the text. Since these are invalid html comments most e-mail clients just simply ignore the comment text all together since it has the around the text. This messages X-Tests-Failed: IPNOTINMX, SUBJECTSPACES, LONGSUBJECT. IMO this should also have failed HTMLCOMMENTS which it did not. So my question.. Would it be possible to add the above junk as detected html comment ? Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] -- The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 620-231-4066 - Your Full Time Professionals - Mikrotik OEM dealer - Online Store http://www.fament.com --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Stats on .biz, .us?
Mail from these domains.. Based on what I see .. email coming from email addresses with .biz or .us have a higher probability of being a spam than .com. Of course this is a matter of percentage. We don't receive that many emails with .biz but from what I see majority (if not all) emails with these extensions are pretty much spam. Just want to see if anyone else has any experience... we may setup a filter just to add weight with MAILFROM0 ENDSWITH.biz MAILFROM0 ENDSWITH.us to do a little info gathering. perhaps add a little weight watch the result in the header.. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hermann Strassner Sent: Wednesday, June 04, 2003 10:11 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Stats on .biz, .us? What do you mean? Mail from these domains or mail to these domains? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kami Razvan Sent: Wednesday, June 04, 2003 3:19 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Stats on .biz, .us? Hi; Is anyone keeping track or have any stats on the % of spam in: .biz .us domains? From what I see it appears .biz and .us type domains have a higher probability of being SPAM as a percentage of legitimate emails with those domains. Regards, Kami
RE: [Declude.JunkMail] COMMENTS test needs adjusting?
I think you need to skip attachments or at least make it an option in the CFG file. I have already discounted the use of BASE64 test because if there is a text attachment the test will be triggered. Why do you need full-mime support to skip attachments?? Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Wednesday, June 04, 2003 5:12 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] COMMENTS test needs adjusting? This email caused 5 COMMENTS to be caught even though there is no HTML in the email as the attachment text has ! in it, I think the test needs to be adjusted to not scan attachment bodies. Very interesting -- that's the first time I've ever seen a .PDF file that was encoded in a way that was still human readable. We are getting close to the point where we may add full MIME support to Declude JunkMail, which would allow attachments to be skipped. It will be quite a bit of work, and will slow down processing slightly, but may be worthwhile. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Stats on .biz, .us?
Title: Message We're seeing more and more valid domains using .biz, .us and .info. I think it's taking a while but they are finally starting to be adopted. -David
[Declude.JunkMail] Declude on RAM Drive
I posted this on the Declude Virus list and didn't get any response. (Hope is wasn't a stupid question :-). Anybody here have anything to offer? Thanks. -David I just noticed on Declude site that it is compatible for use on a RAM drive. Haven't used one of these since DOS but trying to squeeze every last bit of performance out of Declude. Anyone doing this or have additional perfomance tuning tips? Thanks -David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude on RAM Drive
IMO, RAM drives are best for page files and databases. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Wednesday, June 04, 2003 10:10 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Declude on RAM Drive I posted this on the Declude Virus list and didn't get any response. (Hope is wasn't a stupid question :-). Anybody here have anything to offer? Thanks. -David I just noticed on Declude site that it is compatible for use on a RAM drive. Haven't used one of these since DOS but trying to squeeze every last bit of performance out of Declude. Anyone doing this or have additional perfomance tuning tips? Thanks -David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Vote for Declude!
Windows .NET Magazine (which mentioned Declude JunkMail in their April, 2003 Enterprise Spam Filters Buyers Guide) is having a Reader's Choice vote, where you can let them know what software you think is the best in its class, and even which offer the best support. If you think that the Declude products are among the best in their class, please take a minute to go to http://www.winnetmag.com/readerschoice and vote. Categories you may want to consider Declude products for are: #24 - Best Anti-Spam Tool #40 - Best Antivirus--Server Side #41 - Best Antivirus--Mail Server #89 - Best Service and Support You may also want to consider IMail for Best Mail Server. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Vote for Declude!
Don't get scared the from the very long list, you don't have to vote on everything. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry Sent: Wednesday, June 04, 2003 7:47 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Vote for Declude! Windows .NET Magazine (which mentioned Declude JunkMail in their April, 2003 Enterprise Spam Filters Buyers Guide) is having a Reader's Choice vote, where you can let them know what software you think is the best in its class, and even which offer the best support. If you think that the Declude products are among the best in their class, please take a minute to go to http://www.winnetmag.com/readerschoice and vote. Categories you may want to consider Declude products for are: #24 - Best Anti-Spam Tool #40 - Best Antivirus--Server Side #41 - Best Antivirus--Mail Server #89 - Best Service and Support You may also want to consider IMail for Best Mail Server. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude on RAM Drive
Yeah, declude is not very much HDD IO intensive, CPU power is the key. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, June 04, 2003 7:27 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Declude on RAM Drive IMO, RAM drives are best for page files and databases. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of David Sullivan Sent: Wednesday, June 04, 2003 10:10 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Declude on RAM Drive I posted this on the Declude Virus list and didn't get any response. (Hope is wasn't a stupid question :-). Anybody here have anything to offer? Thanks. -David I just noticed on Declude site that it is compatible for use on a RAM drive. Haven't used one of these since DOS but trying to squeeze every last bit of performance out of Declude. Anyone doing this or have additional perfomance tuning tips? Thanks -David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] OSSRC problem
This is an entry from today's dec.log file. There are others like it. 06/04/2003 12:09:23 Q27c20609028ae1d0 Msg failed OSSRC (This E-mail came from 207.44.129.132, a potential spam source listed in OSSRC.). Action=SUBJECT. Yet when I run the IP address in www.dnsstuff.com 's Spam Database Lookup, OSSRC says Not Listed and the only testname that shows a problem is XBL. Why would OSSRC fail the email when it gets scanned, but show it as not being listed from the website? Todd Praski Dotcom Ltd. 115 N. University Dr. Ste. A Nacogdoches, TX 936-559-0001 www.netdot.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OSSRC problem
This is an entry from today's dec.log file. There are others like it. 06/04/2003 12:09:23 Q27c20609028ae1d0 Msg failed OSSRC (This E-mail came from 207.44.129.132, a potential spam source listed in OSSRC.). Action=SUBJECT. Yet when I run the IP address in www.dnsstuff.com 's Spam Database Lookup, OSSRC says Not Listed and the only testname that shows a problem is XBL. Why would OSSRC fail the email when it gets scanned, but show it as not being listed from the website? The only way this should happen is if 207.44.129.132 was recently listed in OSSRC. OSSRC only has a YES/NO response on their website for whether or not IPs are listed in their spam database, so you can't tell if it was listed recently. SPAMCOP, though, will let you know if it was recently listed, making it easier to track issues like this. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Easy way to add power and flexibility.
Charles: They need to not be greedy matches or better yet support a very small set of rules, an overly simplified engine could allow for word boundries and whitespace with optional letters and make word and phrase filters much more powerful. I agree, regular expressions are somewhat more powerful than would be required for the type of checks I'd like to see made, but the other stipulation I mentioned was that it was an Easy way to add power and flexibility. Scott and I discussed the idea of a simple scripting facility but the added complexity of a custom script filter was of course not worthwhile. Since there are already many regexp libraries freely available for developers to use I figured this would be the quickest way to get the results I want from the software I use. Jools: I guess you would do checks on the negative weights first and then the positive and at any point a test goes above the threshold you would stop. Unless by adding all the positive tests together it would still be below threshold whereas you wouldn't need to do any positive tests Actually I was thinking it would be more effecient to do the negative checks only after positive checks have run and found the message to be beyond the threshold. This way you don't run checks on messages which might end up not needing a negative value to make it through. Good idea about the DNS test as well. It might be worthwhile to load a code profiler against a running filter and see where the longest wait times are. It would be trivial then to reorder the tests from quickest to longest. Although its probably already been done. I still think that stopping the positive test process after a message meets its threshold is the easiest way to eliminate CPU usage however, unless I've missed some other possibility? The process would be something like: incoming message--run positive tests (in order of fastest to slowest)v | | msg hits threshold message below threshold-DELIVER | v--run negative tests---v | | msg still above threshold msg below threshold--DELIVER | take spam action(BOUNCE,ROUTETO, etc) I hope that ascii art doesn't get too mangled in transit Rob Salmond Ontario Die Company (519)-576-8950 ext. 132 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] OSSRC problem
It probably just recently dropped out of the OSSRC database and possibly your DNS that JunkMail is using still has the old entry cached. Bill - Original Message - From: Todd Praski [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 11:40 AM Subject: [Declude.JunkMail] OSSRC problem This is an entry from today's dec.log file. There are others like it. 06/04/2003 12:09:23 Q27c20609028ae1d0 Msg failed OSSRC (This E-mail came from 207.44.129.132, a potential spam source listed in OSSRC.). Action=SUBJECT. Yet when I run the IP address in www.dnsstuff.com 's Spam Database Lookup, OSSRC says Not Listed and the only testname that shows a problem is XBL. Why would OSSRC fail the email when it gets scanned, but show it as not being listed from the website? Todd Praski Dotcom Ltd. 115 N. University Dr. Ste. A Nacogdoches, TX 936-559-0001 www.netdot.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Processes Server Load
Kami, I'm running ten IP4r tests, referred to in my original email as an external DB query. There seems to be a descrepency between this as a cause and Scott's answer: the Declude process should not show high CPU usage in this case. Declude uses the Sleep() command, which gives up CPU cycles to other programs (and will prevent the Task Manager from showing CPU usage in Declude during idle times, such as when Declude JunkMail is waiting for an external or DNS-based test to complete). Assuming we're all talking about the same thing, Declude continues to run as a process waiting for replies from IP4r requests but does not consume much CPU time while doing so. Does pulling out IP4r tests during an episode show a immidiate decline in CPU use? Does anyone know how the people hosting the IP4r tests feel about us slamming them with queries? Suppose I'm cruising along with 20,000 queries a day, then jump to 500,000 over a few weeks, surely that makes an impression somewhere? Is there a point were we should ask about doing more? Thanks Dan On Wednesday, June 4, 2003 1:33, Kami Razvan [EMAIL PROTECTED] wrote: Hi Dan: We had a similar problem. I posted a couple of messages regarding this very issue. We were having CPU at 100% for minutes.. in one case when a mail list hit our server with a lot of users receiving the message at the same time the CPU was at 100% for almost an hour. We could not do anything... Finally the Declude processes disappeared and all was back to normal again. What I noticed was the cause more than anything else was the IP4r tests. Declude appears to be fast in filtering and everything that it does. The IP4r tests are a different story and naturally out of Declude hands. We had a lot of them and by taking them off it brought things to normal. I stated this in an earlier posting- we are not doing all of our IP4r tests in IMail version 8. It works much faster and since it caches it seems like it works great. We have about 60 IP4r tests (majority of what is listed in Declude/junkmail/manual.htm site. We will take some off and add others as we find their effectiveness but for now we are using a lot of them and no problem. I am interested to see if this helps you if you try it. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Tuesday, June 03, 2003 9:36 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Declude Processes Server Load We added about 350 users to our 2000+ user dual server configuration in the last week and were doing pretty well until this afternoon. Suddenly the CPU load graph stopped looking like its normal Donky Kong video game simulation (up and down) and more resembled a 100% highway with a few dips. Declude processes were taking quite a while to clear before finishing, to be replaced by another. I pulled out some multi thousand line tests and it nary made a dent. Just before bringing our 3rd server into the fold, things quieted down. While I've already ordered 2 new dual processor 1U's, I want to par down (if not eliminate) the variables invovled: 1) If an external DB query slowed things down, delaying each Declude process, would Declude still show high CPU consumption while waiting and would the graph still be pegged? If not, is there any situation external to my server that would? 2) Is it possible for Declude to be consuming CPU cycles while idling for some other reason? 3) If something else is running in the background, eating cyles, does Declude 'look' like its working harder? 4) If a user (or users) all received masses of attached files (say multi megabyte), would this slow things down in the way described? 5) When a new client reports having 30 users, whats the best way to decipher if this is the case? Is there a log analyzer that inventories unique addresses (understanding that 1 user can have many addresses). Thanks! Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Processes Server Load
Scott, The servers in question are not [yet] running Declude Virus so what happened should be a purely Declude JunkMail question. With as lean as Declude is, looks like the only way to test this is in the moment. During yesterdays moment, it was tuff to sit by turning off one test at a time, to see which it was, while clients were waiting for email. Is there a way to load test a server, generating activity across one, some or all tests to find bottle necks? The new servers will hopefully make it less likely to happen again but that will also hinder understanding. I'll just have to get more clients to load them down with. :) Thanks Dan On Wednesday, June 4, 2003 5:07, R. Scott Perry [EMAIL PROTECTED] wrote: Just before bringing our 3rd server into the fold, things quieted down. While I've already ordered 2 new dual processor 1U's, I want to par down (if not eliminate) the variables invovled: 1) If an external DB query slowed things down, delaying each Declude process, would Declude still show high CPU consumption while waiting and would the graph still be pegged? If not, is there any situation external to my server that would? No -- the Declude process should not show high CPU usage in this case. 2) Is it possible for Declude to be consuming CPU cycles while idling for some other reason? No. Declude uses the Sleep() command, which gives up CPU cycles to other programs (and will prevent the Task Manager from showing CPU usage in Declude during idle times, such as when Declude JunkMail is waiting for an external or DNS-based test to complete). 3) If something else is running in the background, eating cyles, does Declude 'look' like its working harder? Not that I am aware of. 4) If a user (or users) all received masses of attached files (say multi megabyte), would this slow things down in the way described? It could. However, in this case, the main CPU usage would be Declude Virus decoding the attachments. Even so, it should take a lot of large files to see 100% CPU usage for an extended period of time. 5) When a new client reports having 30 users, whats the best way to decipher if this is the case? Is there a log analyzer that inventories unique addresses (understanding that 1 user can have many addresses). In this case, you may want to try our free Domain Lister tool (at http://www.declude.com/tools ), which you can run from a command prompt as domlist -list, which will (among other things) list all the users/aliases for a domain. It doesn't show the count, however. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] IP in Message Header
Hi, Would this cause BADHEADERS failure for bogus Message ID? [EMAIL PROTECTED] (real IP changed to protect the guilty) I assume it's the IP address that's bogus? Thanks David --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] IP in Message Header
Would this cause BADHEADERS failure for bogus Message ID? [EMAIL PROTECTED] (real IP changed to protect the guilty) I assume it's the IP address that's bogus? Yes, it would. That's not a valid Message-ID: header. Specifically, the RFCs require that if an IP address is used, it be in [brackets]. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude Processes Server Load
I truly wish I could explain it.. May be I am dreaming.. But what I see is Declude does not get to 100% CPU since we moved it to IMail to do IP4r. This morning for example I saw about 10 or so Declude processes.. One at 19%.. A lot at 0% and then jumping to 10% and going away some hit 100% for 1 second and disappeared. Before we were seeing 100% CPU staying for several seconds and then each one of the waiting processes hitting 100%. We could not even more the mouse.. It would move in steps.. Now we don't have that problem. Watching this is now my favorite pass time... A cup of coffee and watching CPU Declude processes.. Have to try it with beer.. Could be more fun.. But can't imagine anything be more fun! :) Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Wednesday, June 04, 2003 4:19 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude Processes Server Load Kami, I'm running ten IP4r tests, referred to in my original email as an external DB query. There seems to be a descrepency between this as a cause and Scott's answer: the Declude process should not show high CPU usage in this case. Declude uses the Sleep() command, which gives up CPU cycles to other programs (and will prevent the Task Manager from showing CPU usage in Declude during idle times, such as when Declude JunkMail is waiting for an external or DNS-based test to complete). Assuming we're all talking about the same thing, Declude continues to run as a process waiting for replies from IP4r requests but does not consume much CPU time while doing so. Does pulling out IP4r tests during an episode show a immidiate decline in CPU use? Does anyone know how the people hosting the IP4r tests feel about us slamming them with queries? Suppose I'm cruising along with 20,000 queries a day, then jump to 500,000 over a few weeks, surely that makes an impression somewhere? Is there a point were we should ask about doing more? Thanks Dan On Wednesday, June 4, 2003 1:33, Kami Razvan [EMAIL PROTECTED] wrote: Hi Dan: We had a similar problem. I posted a couple of messages regarding this very issue. We were having CPU at 100% for minutes.. in one case when a mail list hit our server with a lot of users receiving the message at the same time the CPU was at 100% for almost an hour. We could not do anything... Finally the Declude processes disappeared and all was back to normal again. What I noticed was the cause more than anything else was the IP4r tests. Declude appears to be fast in filtering and everything that it does. The IP4r tests are a different story and naturally out of Declude hands. We had a lot of them and by taking them off it brought things to normal. I stated this in an earlier posting- we are not doing all of our IP4r tests in IMail version 8. It works much faster and since it caches it seems like it works great. We have about 60 IP4r tests (majority of what is listed in Declude/junkmail/manual.htm site. We will take some off and add others as we find their effectiveness but for now we are using a lot of them and no problem. I am interested to see if this helps you if you try it. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Tuesday, June 03, 2003 9:36 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Declude Processes Server Load We added about 350 users to our 2000+ user dual server configuration in the last week and were doing pretty well until this afternoon. Suddenly the CPU load graph stopped looking like its normal Donky Kong video game simulation (up and down) and more resembled a 100% highway with a few dips. Declude processes were taking quite a while to clear before finishing, to be replaced by another. I pulled out some multi thousand line tests and it nary made a dent. Just before bringing our 3rd server into the fold, things quieted down. While I've already ordered 2 new dual processor 1U's, I want to par down (if not eliminate) the variables invovled: 1) If an external DB query slowed things down, delaying each Declude process, would Declude still show high CPU consumption while waiting and would the graph still be pegged? If not, is there any situation external to my server that would? 2) Is it possible for Declude to be consuming CPU cycles while idling for some other reason? 3) If something else is running in the background, eating cyles, does Declude 'look' like its working harder? 4) If a user (or users) all received masses of attached files (say multi megabyte), would this slow things down in the way described? 5) When a new client reports having 30 users, whats the best way to decipher if this is the case? Is there a log analyzer that inventories unique addresses (understanding that 1 user can have many addresses). Thanks! Dan --- [This E-mail
Re: [Declude.JunkMail] Declude Processes Server Load
I have noticed that using the v1.65 I never see Declude use more the 45% CPU. Using 1.70 Beta I see Declude Max the CPU's 100% Has anyone else seen the same. Fred - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 4:36 PM Subject: Re: [Declude.JunkMail] Declude Processes Server Load Assuming we're all talking about the same thing, Declude continues to run as a process waiting for replies from IP4r requests but does not consume much CPU time while doing so. That is correct. It should use very, very little CPU time while waiting for the results to come back. Does pulling out IP4r tests during an episode show a immidiate decline in CPU use? It shouldn't cause a noticeable decline in CPU use -- I can't explain Kami's results. Does anyone know how the people hosting the IP4r tests feel about us slamming them with queries? You're not. Specifically, they will see the same number of queries whether you are running IMail v8's anti-spam, Declude JunkMail's, or some other anti-spam solution. The reason for this is that your local DNS server will cache the results. Suppose I'm cruising along with 20,000 queries a day, then jump to 500,000 over a few weeks, surely that makes an impression somewhere? Is there a point were we should ask about doing more? There are some spam databases that request that heavy users (typically 100,000+ E-mails/day) do zone transfers (downloading the DNS data a couple times a day). However, if 80% of the lookups are cached, you're talking about 20,000 queries hitting the spam database for every 100,000 E-mails. The root DNS servers are able to handle up to tens of thousands of queries every second; DNS is very efficient. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Processes Server Load
Kami, Is your DNS that IMAIL/Declude uses local to you? Or are you using an upstream DNS? That many IPV4 tests may warrant this. We noticed a large performance boost by using a DNS on the local LAN. Just a thought - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 3:58 PM Subject: RE: [Declude.JunkMail] Declude Processes Server Load I truly wish I could explain it.. May be I am dreaming.. But what I see is Declude does not get to 100% CPU since we moved it to IMail to do IP4r. This morning for example I saw about 10 or so Declude processes.. One at 19%.. A lot at 0% and then jumping to 10% and going away some hit 100% for 1 second and disappeared. Before we were seeing 100% CPU staying for several seconds and then each one of the waiting processes hitting 100%. We could not even more the mouse.. It would move in steps.. Now we don't have that problem. Watching this is now my favorite pass time... A cup of coffee and watching CPU Declude processes.. Have to try it with beer.. Could be more fun.. But can't imagine anything be more fun! :) Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Wednesday, June 04, 2003 4:19 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude Processes Server Load Kami, I'm running ten IP4r tests, referred to in my original email as an external DB query. There seems to be a descrepency between this as a cause and Scott's answer: the Declude process should not show high CPU usage in this case. Declude uses the Sleep() command, which gives up CPU cycles to other programs (and will prevent the Task Manager from showing CPU usage in Declude during idle times, such as when Declude JunkMail is waiting for an external or DNS-based test to complete). Assuming we're all talking about the same thing, Declude continues to run as a process waiting for replies from IP4r requests but does not consume much CPU time while doing so. Does pulling out IP4r tests during an episode show a immidiate decline in CPU use? Does anyone know how the people hosting the IP4r tests feel about us slamming them with queries? Suppose I'm cruising along with 20,000 queries a day, then jump to 500,000 over a few weeks, surely that makes an impression somewhere? Is there a point were we should ask about doing more? Thanks Dan On Wednesday, June 4, 2003 1:33, Kami Razvan [EMAIL PROTECTED] wrote: Hi Dan: We had a similar problem. I posted a couple of messages regarding this very issue. We were having CPU at 100% for minutes.. in one case when a mail list hit our server with a lot of users receiving the message at the same time the CPU was at 100% for almost an hour. We could not do anything... Finally the Declude processes disappeared and all was back to normal again. What I noticed was the cause more than anything else was the IP4r tests. Declude appears to be fast in filtering and everything that it does. The IP4r tests are a different story and naturally out of Declude hands. We had a lot of them and by taking them off it brought things to normal. I stated this in an earlier posting- we are not doing all of our IP4r tests in IMail version 8. It works much faster and since it caches it seems like it works great. We have about 60 IP4r tests (majority of what is listed in Declude/junkmail/manual.htm site. We will take some off and add others as we find their effectiveness but for now we are using a lot of them and no problem. I am interested to see if this helps you if you try it. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Tuesday, June 03, 2003 9:36 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Declude Processes Server Load We added about 350 users to our 2000+ user dual server configuration in the last week and were doing pretty well until this afternoon. Suddenly the CPU load graph stopped looking like its normal Donky Kong video game simulation (up and down) and more resembled a 100% highway with a few dips. Declude processes were taking quite a while to clear before finishing, to be replaced by another. I pulled out some multi thousand line tests and it nary made a dent. Just before bringing our 3rd server into the fold, things quieted down. While I've already ordered 2 new dual processor 1U's, I want to par down (if not eliminate) the variables invovled: 1) If an external DB query slowed things down, delaying each Declude process, would Declude still show high CPU consumption while waiting and would the graph still be pegged? If not, is there any situation external to my server that would? 2) Is it possible for Declude to be consuming CPU cycles while idling for some other reason? 3) If something else is running in the background, eating cyles, does Declude 'look' like its working
Re: [Declude.JunkMail] Stats on .biz, .us?
I played with a content body test for .biz/ and had FPs in no time. You can play with a low weight test with these, but their use will only increase with time. I treat them the same as .net/.org/.com, one [painfully slow] iteration at a time. Dan On Wednesday, June 4, 2003 6:19, Kami Razvan [EMAIL PROTECTED] wrote: Message Hi; Is anyone keeping track or have any stats on the % of spam in: .biz .us domains? From what I see it appears .biz and .us type domains have a higher probability of being SPAM as a percentage of legitimate emails with those domains. Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Declude Processes Server Load
Thats interesting, I upgraded both of the problem servers to 1.70 two days (about 36 hours) before this hit. I'm going to see if I can switch back to 1.69iX to see if there is a difference. Dan On Wednesday, June 4, 2003 14:50, Frederick Samarelli [EMAIL PROTECTED] wrote: I have noticed that using the v1.65 I never see Declude use more the 45% CPU. Using 1.70 Beta I see Declude Max the CPU's 100% Has anyone else seen the same. Fred - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 4:36 PM Subject: Re: [Declude.JunkMail] Declude Processes Server Load Assuming we're all talking about the same thing, Declude continues to run as a process waiting for replies from IP4r requests but does not consume much CPU time while doing so. That is correct. It should use very, very little CPU time while waiting for the results to come back. Does pulling out IP4r tests during an episode show a immidiate decline in CPU use? It shouldn't cause a noticeable decline in CPU use -- I can't explain Kami's results. Does anyone know how the people hosting the IP4r tests feel about us slamming them with queries? You're not. Specifically, they will see the same number of queries whether you are running IMail v8's anti-spam, Declude JunkMail's, or some other anti-spam solution. The reason for this is that your local DNS server will cache the results. Suppose I'm cruising along with 20,000 queries a day, then jump to 500,000 over a few weeks, surely that makes an impression somewhere? Is there a point were we should ask about doing more? There are some spam databases that request that heavy users (typically 100,000+ E-mails/day) do zone transfers (downloading the DNS data a couple times a day). However, if 80% of the lookups are cached, you're talking about 20,000 queries hitting the spam database for every 100,000 E-mails. The root DNS servers are able to handle up to tens of thousands of queries every second; DNS is very efficient. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Declude Processes Server Load
Hi; Our DNS is local. Same IP range and 2 racks above the mail server. We are also using IMail 8 with the cache DNS option- if that makes a difference with our configuration it is hard to say. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Newland Sent: Wednesday, June 04, 2003 5:18 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude Processes Server Load Kami, Is your DNS that IMAIL/Declude uses local to you? Or are you using an upstream DNS? That many IPV4 tests may warrant this. We noticed a large performance boost by using a DNS on the local LAN. Just a thought - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 3:58 PM Subject: RE: [Declude.JunkMail] Declude Processes Server Load I truly wish I could explain it.. May be I am dreaming.. But what I see is Declude does not get to 100% CPU since we moved it to IMail to do IP4r. This morning for example I saw about 10 or so Declude processes.. One at 19%.. A lot at 0% and then jumping to 10% and going away some hit 100% for 1 second and disappeared. Before we were seeing 100% CPU staying for several seconds and then each one of the waiting processes hitting 100%. We could not even more the mouse.. It would move in steps.. Now we don't have that problem. Watching this is now my favorite pass time... A cup of coffee and watching CPU Declude processes.. Have to try it with beer.. Could be more fun.. But can't imagine anything be more fun! :) Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Wednesday, June 04, 2003 4:19 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Declude Processes Server Load Kami, I'm running ten IP4r tests, referred to in my original email as an external DB query. There seems to be a descrepency between this as a cause and Scott's answer: the Declude process should not show high CPU usage in this case. Declude uses the Sleep() command, which gives up CPU cycles to other programs (and will prevent the Task Manager from showing CPU usage in Declude during idle times, such as when Declude JunkMail is waiting for an external or DNS-based test to complete). Assuming we're all talking about the same thing, Declude continues to run as a process waiting for replies from IP4r requests but does not consume much CPU time while doing so. Does pulling out IP4r tests during an episode show a immidiate decline in CPU use? Does anyone know how the people hosting the IP4r tests feel about us slamming them with queries? Suppose I'm cruising along with 20,000 queries a day, then jump to 500,000 over a few weeks, surely that makes an impression somewhere? Is there a point were we should ask about doing more? Thanks Dan On Wednesday, June 4, 2003 1:33, Kami Razvan [EMAIL PROTECTED] wrote: Hi Dan: We had a similar problem. I posted a couple of messages regarding this very issue. We were having CPU at 100% for minutes.. in one case when a mail list hit our server with a lot of users receiving the message at the same time the CPU was at 100% for almost an hour. We could not do anything... Finally the Declude processes disappeared and all was back to normal again. What I noticed was the cause more than anything else was the IP4r tests. Declude appears to be fast in filtering and everything that it does. The IP4r tests are a different story and naturally out of Declude hands. We had a lot of them and by taking them off it brought things to normal. I stated this in an earlier posting- we are not doing all of our IP4r tests in IMail version 8. It works much faster and since it caches it seems like it works great. We have about 60 IP4r tests (majority of what is listed in Declude/junkmail/manual.htm site. We will take some off and add others as we find their effectiveness but for now we are using a lot of them and no problem. I am interested to see if this helps you if you try it. Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Patnode Sent: Tuesday, June 03, 2003 9:36 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Declude Processes Server Load We added about 350 users to our 2000+ user dual server configuration in the last week and were doing pretty well until this afternoon. Suddenly the CPU load graph stopped looking like its normal Donky Kong video game simulation (up and down) and more resembled a 100% highway with a few dips. Declude processes were taking quite a while to clear before finishing, to be replaced by another. I pulled out some multi thousand line tests and it nary made a dent. Just before bringing our 3rd server into the fold, things quieted down. While I've already ordered 2 new dual processor 1U's, I want to par down (if not
[Declude.JunkMail] language limitation?
I'm not exactly sure how the JunkMail engine works, so I apologize in advance if this is a rookie question. Although JunkMail does a great job of catching English-based junk emails I still get very basic Spanish and Korean (I think) spam emails. So, does JunkMail catch non-English junk mail? Any other info would also be helpful. Jose --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] language limitation?
I'm not exactly sure how the JunkMail engine works, so I apologize in advance if this is a rookie question. Although JunkMail does a great job of catching English-based junk emails I still get very basic Spanish and Korean (I think) spam emails. So, does JunkMail catch non-English junk mail? Any other info would also be helpful. In most ways, Declude JunkMail treats English and non-English E-mails the same way. For example, if the E-mail has broken headers, it will fail the BADHEADERS test; if it came from an IP that Spamcop users have reported, it will fail the SPAMCOP test. The main exception is the NONENGLISH test, which is designed primarily to catch the Korean/Chinese/Japanese spams. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
