Andy,
Thanks for the information. There is no doubt that you could limit the
processes and never reach this overloaded condition and that would mask
the issue, and gateway validation should also prevent overloaded
conditions if you were formerly being bombarded. What I'm curious
about however is whether or not Declude corrected the issue (if it was
theirs), or if they just simply masked it by allowing for these limits.
Personally, I'm a little concerned about controlling things with a
limit that is only associated with a process count since there are
certainly many times on my box that it needs to handle bursty traffic
and I don't want to back things up if I can help it. I already know
that depending on whether or not something is whitelisted, has an
attachment, or how big the attachment or body of the message is, my box
will respond very differently. I would hate to put a limit on things
that might cap my server at 50% utilization in some cases, but might be
too high to matter in others.
Thanks,
Matt
Andy Schmidt wrote:
Hi Matt:
While I was beta testing 2.0.6, I was also
suffering from some distributed dictionary attacks - and I was
scrutinizing the log files much more closely (to look for possible beta
errors).
I don't know WHICH of these three factors
were critical (2.x vs. load vs. level of attention) - but I had
detected what sounds like your situation. I noticed Spam and Virus log
entries that refererred to file i/o errors and upon closer examination
of individual cases, I noticed that apparently the same Q/D files were
processed more than once. The developers added log information that
tracked the process-id to determine if the problem was a loop in one
process or the launching of multiple processed (they were indeed
different.)
About the same time, they also introduced
the new Declude.cfg file that allowed me to manage/limit the number of
concurrent Declude processes.
After installing new builds AND limiting
the number of Declude processes I no longer noticed these errors in the
log files.
So - I can state that this problem was
worked on and even that some code changes were made. But
I can't promise with certainty that the problem was fixed with the code
changes, or due to the new Declude.cfg option - or if my workload mix
simply was sufficiently different.
Since then I have been able to block those
distributed dictionary attacks in my IIS gateways, so that this factor
has been eliminated altogether.
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20
(Business)
Fax: +1 201 934-9206
This is primarily meant for Declude's support, but I am sending it to
the list in the event that the broader scrutiny might be beneficial.
I'm currently running Declude 1.82 and Windows 2003 SP1. It appears
that under heavy load I am seeing errors from both Declude Virus and
Declude JunkMail, and it seems possible that while the errors are
triggered by the heavy load, the conditions created might be
avoidable. It seems likely that either IMail or Declude is producing
the problem.
I have a client that has a Web server that pumps out about 350 E-mails
every night in rapid succession from their Web server. This has been
causing issues pretty much every night. Declude Virus throws about a
half dozen or so errors during this blast saying "Error 183 creating
temp directory [path]", and when this happens, it seems to always do
this multiple times for the same file name. Declude JunkMail seems to
also double, tipple, quadruple, etc., process the same files when this
happens, which is noted in both the logs as well as the headers that it
inserts in the E-mail. I sometimes find these multiple-processed files
stranded in my spool without a Q file. I'm not sure what conditions
associated with the load are causing this, but this can also happen at
other times outside of this nightly blast when the CPU's are being
pegged.
I'm sharing the associated headers and log file entries in the hopes of
helping to identify the source of the issue and also potentially
resolving it. Here is a copy of each for one such message:
HEADERS
==================================================================
Received: from mx1.mailpure.com [208.7.179.200] by
mail.mailpure.com with ESMTP
(SMTPD32-8.15) id A039545F00E0; Thu, 14 Apr 2005 01:31:37 -0400
Received: from DH04 ([###.###.###.###]) by mx1.mailpure.com with
Microsoft SMTPSVC(6.0.3790.211);
Thu, 14 Apr 2005 01:31:34 -0400
Received: from mail pickup service by DH04 with Microsoft SMTPSVC;
Thu, 14 Apr 2005 01:30:49 -0400
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Nightly Email update from [Company Name]
Date: Thu, 14 Apr 2005 01:30:49 -0400
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0001_01C54091.8C5A7060"
X-Mailer: Microsoft CDO for Windows 2000
Thread-Index: AcVAsxNWnH6Lzk2RRyizH9lhpqD3BQ==
Content-Class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-OriginalArrivalTime: 14 Apr 2005 05:30:49.0363 (UTC)
FILETIME=[1DD32E30:01C540B3]
Return-Path: [EMAIL PROTECTED]
X-MailPure:
================================================================
X-MailPure: FORGEDFROM: Message failed FORGEDFROM test (weight 2).
X-MailPure:
================================================================
X-MailPure: Spam Score: 2
X-MailPure: Scan Time: 14 Apr 2005 at 01:34:15 -0400
X-MailPure: Spool File: D0039545f00e0819a.SMD
X-MailPure: Server Name: DH04
X-MailPure: SMTP Sender: [EMAIL PROTECTED]
X-MailPure: Received From: customer-webserver.example.com
[###.###.###.###]
X-MailPure: Country Chain: UNITED STATES->destination
X-MailPure:
================================================================
X-MailPure: Spam and virus blocking services provided by MailPure.com
X-MailPure:
================================================================
X-MailPure:
================================================================
X-MailPure: FORGEDFROM: Message failed FORGEDFROM test (weight 2).
X-MailPure:
================================================================
X-MailPure: Spam Score: 2
X-MailPure: Scan Time: 14 Apr 2005 at 01:34:15 -0400
X-MailPure: Spool File: D0039545f00e0819a.SMD
X-MailPure: Server Name: DH04
X-MailPure: SMTP Sender: [EMAIL PROTECTED]
X-MailPure: Received From: customer-webserver.example.com
[###.###.###.###]
X-MailPure: Country Chain: UNITED STATES->destination
X-MailPure:
================================================================
X-MailPure: Spam and virus blocking services provided by MailPure.com
X-MailPure:
================================================================
X-MailPure:
================================================================
X-MailPure: FORGEDFROM: Message failed FORGEDFROM test (weight 2).
X-MailPure:
================================================================
X-MailPure: Spam Score: 2
X-MailPure: Scan Time: 14 Apr 2005 at 01:34:18 -0400
X-MailPure: Spool File: D0039545f00e0819a.SMD
X-MailPure: Server Name: DH04
X-MailPure: SMTP Sender: [EMAIL PROTECTED]
X-MailPure: Received From: customer-webserver.example.com
[###.###.###.###]
X-MailPure: Country Chain: UNITED STATES->destination
X-MailPure:
================================================================
X-MailPure: Spam and virus blocking services provided by MailPure.com
X-MailPure:
================================================================
X-MailPure:
================================================================
X-MailPure: FORGEDFROM: Message failed FORGEDFROM test (weight 2).
X-MailPure:
================================================================
X-MailPure: Spam Score: 2
X-MailPure: Scan Time: 14 Apr 2005 at 01:34:36 -0400
X-MailPure: Spool File: D0039545f00e0819a.SMD
X-MailPure: Server Name: DH04
X-MailPure: SMTP Sender: [EMAIL PROTECTED]
X-MailPure: Received From: customer-webserver.example.com
[###.###.###.###]
X-MailPure: Country Chain: UNITED STATES->destination
X-MailPure:
================================================================
X-MailPure: Spam and virus blocking services provided by MailPure.com
X-MailPure:
================================================================
IMAIL LOG
==================================================================
20050414 013137 127.0.0.1 SMTPD (0039545f00e0819a)
[208.7.179.200] connect 208.7.179.200 port 44750
20050414 013137 127.0.0.1 SMTPD (0039545f00e0819a)
[208.7.179.200] EHLO mx1.mailpure.com
20050414 013137 127.0.0.1 SMTPD (0039545f00e0819a)
[208.7.179.200] MAIL FROM:<[EMAIL PROTECTED]>
20050414 013137 127.0.0.1 SMTPD (0039545f00e0819a)
[208.7.179.200] RCPT TO:<[EMAIL PROTECTED]>
20050414 013137 127.0.0.1 SMTPD (0039545f00e0819a)
[208.7.179.200] F:\\D0039545f00e0819a.SMD 19967
20050414 013415 127.0.0.1 SMTP (0039545f00e0819a) processing
F:\\Q0039545f00e0819a.SMD
20050414 013416 127.0.0.1 SMTP (0039545f00e0819a) ldeliver
local-domain.example.com user-main (1) [EMAIL PROTECTED]
21513
20050414 013416 127.0.0.1 SMTP (0039545f00e0819a) finished
F:\\Q0039545f00e0819a.SMD status=1
DECLUDE VIRUS LOG
==================================================================
04/14/2005 01:33:52 Q0039545f00e0819a Error 183 creating
temp directory F:\D0039545f00e0819a.vir\.
04/14/2005 01:33:52 Q0039545f00e0819a Error 183 creating temp directory
F:\D0039545f00e0819a.vir\.
04/14/2005 01:33:52 Q0039545f00e0819a Scanned: Error starting scanner
04/14/2005 01:33:52 Q0039545f00e0819a Scanned: Error starting scanner
04/14/2005 01:33:52 Q0039545f00e0819a MIME file:
[text/html][quoted-printable; Length=12426 Checksum=1007169]
04/14/2005 01:33:53 Q0039545f00e0819a Scanned: Virus Free [Prescan
OK][MIME: 2 17782]
04/14/2005 01:34:15 Q0039545f00e0819a MIME file:
[text/html][quoted-printable; Length=12426 Checksum=1007169]
04/14/2005 01:34:15 Q0039545f00e0819a Scanned: Virus Free [Prescan
OK][MIME: 2 17782]
DECLUDE JUNKMAIL LOG
==================================================================
04/14/2005 01:34:14 Q0039545f00e0819a FORGEDFROM:2 . Total
weight = 2.
04/14/2005 01:34:15 Q0039545f00e0819a FORGEDFROM:2 . Total weight = 2.
04/14/2005 01:34:15 Q0039545f00e0819a L1 Message OK
04/14/2005 01:34:15 Q0039545f00e0819a Subject: Nightly Email update
from [Company Name]
04/14/2005 01:34:15 Q0039545f00e0819a From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
IP: ###.###.###.### ID:
04/14/2005 01:34:15 Q0039545f00e0819a Tests failed [weight=2]:
CATCHALLMAILS=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE SIZE-S=IGNORE
BASE64-ANTI=IGNORE FORGEDFROM=WARN PASSED=IGNORE
04/14/2005 01:34:15 Q0039545f00e0819a Last action = "">
04/14/2005 01:34:15 Q0039545f00e0819a L1 Message OK
04/14/2005 01:34:15 Q0039545f00e0819a Subject: Nightly Email update
from [Company Name]
04/14/2005 01:34:15 Q0039545f00e0819a From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
IP: ###.###.###.### ID:
04/14/2005 01:34:15 Q0039545f00e0819a Tests failed [weight=2]:
CATCHALLMAILS=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE SIZE-S=IGNORE
BASE64-ANTI=IGNORE FORGEDFROM=WARN PASSED=IGNORE
04/14/2005 01:34:15 Q0039545f00e0819a Last action = "">
04/14/2005 01:34:18 Q0039545f00e0819a FORGEDFROM:2 . Total weight = 2.
04/14/2005 01:34:18 Q0039545f00e0819a L1 Message OK
04/14/2005 01:34:18 Q0039545f00e0819a Subject: Nightly Email update
from [Company Name]
04/14/2005 01:34:18 Q0039545f00e0819a From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
IP: ###.###.###.### ID:
04/14/2005 01:34:18 Q0039545f00e0819a Tests failed [weight=2]:
CATCHALLMAILS=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE SIZE-S=IGNORE
BASE64-ANTI=IGNORE FORGEDFROM=WARN PASSED=IGNORE
04/14/2005 01:34:18 Q0039545f00e0819a Last action = "">
04/14/2005 01:34:36 Q0039545f00e0819a FORGEDFROM:2 . Total weight = 2.
04/14/2005 01:34:36 Q0039545f00e0819a L1 Message OK
04/14/2005 01:34:36 Q0039545f00e0819a Subject: Nightly Email update
from [Company Name]
04/14/2005 01:34:36 Q0039545f00e0819a From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
IP: ###.###.###.### ID:
04/14/2005 01:34:36 Q0039545f00e0819a Tests failed [weight=2]:
CATCHALLMAILS=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE SIZE-S=IGNORE
BASE64-ANTI=IGNORE FORGEDFROM=WARN PASSED=IGNORE
04/14/2005 01:34:36 Q0039545f00e0819a Last action = "">
Thanks,
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
