Re: [Declude.JunkMail] Multi Server Configs

[Matthew Bramble]

We have a little less volume than you do, but it's amazing how concentrated the messages can be.  My personal account which has many domains pointed at it has not received a single copy of the virus, but one account on our server has been hit over 500 times in the last 48 hours.  We run Declude Virus, but it's only available to about half of the accounts, JunkMail though has caught everything that gets there. Here's an important suggestion, although this is virus related (I'm not on that list).  I use the FProt engine, which is nice because most clients use McAfee or Norton on the desktop, however this virus was getting blocked by extension exceptions (scr, bat, pif, com and vbs) for over 36 hours before the virus definitions were updated (checked every 6 hours).  This isn't the first time that has happened either.  The antivirus companies are too slow IMO in getting their updates out as this has happened repeatedly in the last year.  I would therefore refuse a customer's request to allow any of these extensions through...but never has a customer refused such a thing, so I even turned notifications off for banned extensions. This does tie back into processor utilization though, because before the definitions were available, the banned extension test was placing those E-mails in a hold (wish you could have them deleted).  The system seems though to scan the attachments first and then look for attachments to ban by extension, and that order could be reversed to save processing power.  I assume this because the virus detection is now catching these files subsequent to the definitions update instead of the banned extension test doing the dirty work.  Any file intensive operations though benefit greatly from a spanned array, and RAID 5 can be a better investment than processing power in my experience, and a simple mirror actually steals a good deal of processing from your server.  We run about 80 Web sites, 50 E-mail domains with virus and spam blocking, a SQL server with many connected sites, and DNS, but dual PIII 1 Ghz processors, a gig of memory and a 5 disk array keeps the average processor utilization at around 2% even during this outbreak, with peaks lower than 50% utilization.  I think I overbuilt the box :) Matt Colbeck, Andrew wrote: Wow, I thought my increase in messages from 5,800 messages inbound to 10,000 was a lot. BTW, my old mail server (PII @ 333 MHz, data on a SCSI2 mirror) with the same volume would regularly run mid-morning (my peak volume) with a 30 to 100 messages in the overflow folder. The new server (PIII @ 1.266, data on a SCSI3 mirror) had zero messages in the overflow with exactly the same configuration (well, not true; I also put in a body text filter to hold some of those annoyingly but misguided messages from mailservers that are warning us of a virus we didn't send - caught 1,300 of them by 10pm). So last night I updated the Declude config to bring up our configuration from 1.65 to 1.75i2 with most of the tests like PREWHITELIST ON, SPAMDOMAINS, COMMENTS, SUBJECTSPACES, LONGSUBJECT, NONENGLISH. I used as my guide, advice on the list and the page: http://www.declude.com/relnotes.htm Andrew 8) p.s. Of everything that was new and/or discussed since the previous release, SPAMDOMAINS was certainly the toughest nut. -----Original Message----- From: Webmaster Oilfield Directory [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 21, 2003 10:10 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Multi Server Configs LOL! that's peanuts...... try 70,000 ...yes 70,000 per hour and then tell me about being nailed ... and i didn't have a powerhouse like you...only a 400mhz p2 in otherwords 2.5 million in 24 hours..... Sheldon ----- Original Message ----- From: "Tom Baker|Netsmith Inc" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, August 21, 2003 6:15 AM Subject: RE: [Declude.JunkMail] Multi Server Configs Dan, Declude does not have that kind of power as it is the IMAIL SMTP Daemon which accepts the mail and places it into the spool. After it is in the spool declude queue moves it to the overflow for faster processing if there are more messages in the spool than imail can run smtp-delivery processes for (MaxQueProc). See http://www.declude.com/dq.htm for more information on how exactly the overflow works. If you want to reject messages before the SMTP envelope is over let me suggest you take a look at 'IMGate' http://imgate.meiway.com/ IMGate is basically a set of configurations for a free Unix OS(Linux or FreeBSD www.freebsd.org) with the (free) Postfix MTA (www.postfix.org). Postfix does have the ability for its SMTP Daemon to reject messages during the first SMTP session based on header and body rules. Many of the people running declude also have one of these servers running in front of our Imail/Declude server to reject such floods. During the start of the SoBig flood I modified my body checks to reject any message with a .pif attachment, and modified my header checks to reject any message containing subject lines of those that the sobig worm uses. Yesterday I rejected over 10,000 messages based on these rules.. Thats 10,000 messages declude never had to process because they were rejected with a "550 code" at the SMTP level. There may be some other suggestions on this list, but I think this is something worth at least taking a look at. -Tom -----Original Message----- From: Dan Patnode [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 21, 2003 2:30 AM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Multi Server Configs I'm running twin dual Xeon 2.4s and was nearly wiped out today by all the extra virus/worm activity. Its midnight and I'm still clearing out the overflow, to the tune of 2 dozen Declude processes. Rather than running them in parallel as we had before (setting them up with the same MX weight), we are running these in series (every message hits the first server until it says uncle, then the second server gets some). Trouble is, the 1st server didn't refuse incoming mail, it just kept piling up in overflow - to the tune of about 10,000 message in the course of a single morning. Is there a way to configure Imail/Declude so as not to use overflow, instead refusing additional connections so they are passed to secondary servers? Thanks Dan PS, more on CPU load itself later --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.