[sniffer] Re: IP Change on rulebase delivery system
Not sure if its related but since yesterday SNFserver CPU utilization has been inordinately high (>50%) for the middle of the day with not any additional volume in mail being received. On Mon, Mar 25, 2013 at 9:13 AM, Pete McNeil wrote: > Hi Sniffer Folks, > > We are about to change the IP of the rulebase delivery system. This change > should be completely transparent and you should not need to take any > action; however if you do notice anything unusual please let us know. > > Thanks, > > _M > > -- > Pete McNeil > Chief Scientist > ARM Research Labs, LLC > www.armresearch.com > 866-770-1044 x7010 > twitter/codedweller > > > ##**##**# > This message is sent to you because you are subscribed to > the mailing list . > This list is for discussing Message Sniffer, > Anti-spam, Anti-Malware, and related email topics. > For More information see http://www.armresearch.com > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > > > To switch to the INDEX mode, E-mail to > Send administrative queries to > > > > >
[sniffer] Re: IP Change on rulebase delivery system
Probably unrelated... and due to a significant increase in spam over the past few days. Darin. From: Richard Stupek Sent: Wednesday, March 27, 2013 2:18 PM To: Message Sniffer Community Subject: [sniffer] Re: IP Change on rulebase delivery system Not sure if its related but since yesterday SNFserver CPU utilization has been inordinately high (>50%) for the middle of the day with not any additional volume in mail being received. On Mon, Mar 25, 2013 at 9:13 AM, Pete McNeil wrote: Hi Sniffer Folks, We are about to change the IP of the rulebase delivery system. This change should be completely transparent and you should not need to take any action; however if you do notice anything unusual please let us know. Thanks, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: IP Change on rulebase delivery system
On 2013-03-27 14:38, Darin Cox wrote: Probably unrelated... and due to a significant increase in spam over the past few days. I agree with that -- our inbound spamtrap pre-processor has seen 4x increase over the past few days so that's likely to be related. Also, Richard, I took a quick look at your telemetry and verified that your rulebase file(s) are up to date. Best, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: IP Change on rulebase delivery system
Its odd because the number of messags snf is processing isn't more than usual and the % of spam being detected through snf is actually lower than typical yet is is routinely maxing out 4 processors at 100%. On Wed, Mar 27, 2013 at 3:20 PM, Pete McNeil wrote: > On 2013-03-27 14:38, Darin Cox wrote: > >> Probably unrelated... and due to a significant increase in spam over the >> past few days. >> > > I agree with that -- our inbound spamtrap pre-processor has seen 4x > increase over the past few days so that's likely to be related. > > Also, Richard, I took a quick look at your telemetry and verified that > your rulebase file(s) are up to date. > > Best, > > > _M > > -- > Pete McNeil > Chief Scientist > ARM Research Labs, LLC > www.armresearch.com > 866-770-1044 x7010 > twitter/codedweller > > > ##**##**# > This message is sent to you because you are subscribed to > the mailing list . > This list is for discussing Message Sniffer, > Anti-spam, Anti-Malware, and related email topics. > For More information see http://www.armresearch.com > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > > > To switch to the INDEX mode, E-mail to > Send administrative queries to > > > > >
[sniffer] Re: IP Change on rulebase delivery system
On 2013-03-27 16:49, Richard Stupek wrote: Its odd because the number of messags snf is processing isn't more than usual and the % of spam being detected through snf is actually lower than typical yet is is routinely maxing out 4 processors at 100%. You're saying that SNF is maxing out 4 processors? ... or is the combination of operations on your server maxing out 4 processors? We're using the same engine and ruelbase in our CGP server and humming along nicely at between 2000 - 8000 msg/minute with nominal CPU loads. I don't see anything unusual in your telemetry and I haven't heard any other complaints, so I can't explain why SNF would act differently on your system. I hate a mystery though -- so I would love to get to the bottom of it. Do you see anything else that might be causing the CPU load? _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: IP Change on rulebase delivery system
It would be SNF routinely showing 80% utilization spikes for a 4 cpu system. I hadn't ever seen it do that before which was why I sent the message. Don't believe the load is any higher than normal. The spikes aren't as prolonged at the present. On Wed, Mar 27, 2013 at 4:08 PM, Pete McNeil wrote: > On 2013-03-27 16:49, Richard Stupek wrote: > >> Its odd because the number of messags snf is processing isn't more than >> usual and the % of spam being detected through snf is actually lower than >> typical yet is is routinely maxing out 4 processors at 100%. >> > > You're saying that SNF is maxing out 4 processors? ... or is the > combination of operations on your server maxing out 4 processors? > > We're using the same engine and ruelbase in our CGP server and humming > along nicely at between 2000 - 8000 msg/minute with nominal CPU loads. > > I don't see anything unusual in your telemetry and I haven't heard any > other complaints, so I can't explain why SNF would act differently on your > system. I hate a mystery though -- so I would love to get to the bottom of > it. > > Do you see anything else that might be causing the CPU load? > > > _M > > -- > Pete McNeil > Chief Scientist > ARM Research Labs, LLC > www.armresearch.com > 866-770-1044 x7010 > twitter/codedweller > > > ##**##**# > This message is sent to you because you are subscribed to > the mailing list . > This list is for discussing Message Sniffer, > Anti-spam, Anti-Malware, and related email topics. > For More information see http://www.armresearch.com > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > > > To switch to the INDEX mode, E-mail to > Send administrative queries to > > > > >
[sniffer] Re: IP Change on rulebase delivery system
On 2013-03-27 17:16, Richard Stupek wrote: The spikes aren't as prolonged at the present. Interesting. A short spike like that might be expected if the message was longer than usual, but on average SNF should be very light-weight. One thing you can check is the performance data in your logs. That will show how much time in cpu milleseconds it is taking for each scan and how long the scans are in bytes. This might shed some light. http://www.armresearch.com/support/articles/software/snfServer/logFiles/activityLogs.jsp Look for something like in each scan. From the documentation: - Scan Performance Monitoring (performance='yes') p:s = Setup time in milliseconds p:t = Scan time in milliseconds p:l = Scan length in bytes p:d = Scan depth (peak evaluator count) Best, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
