Re: [Declude.JunkMail] Error 183 in Declude Virus and double processing in Declude JunkMail during heavy load

[Matt]

Markus et. al, This is my first full day on SP1, but I have seen double processing before in D files stranded in the spool going back maybe a year or more and on Win2K as well.  I was only able to nail this down to a load issue because the 1:30 a.m. mailing is a daily occurrence and I see errors in my logs every time since adding this customer. I have one external application that is erroring on heavy load, but that would also happen before SP1.  I did however note that my CPU utilization peaked at 39% today on hourly averages with SP1 whereas on Friday pre-SP1, they peaked at 30% (and Mondays are generally slow).  I'm not sure what has caused this, but it could be something as simple as a dictionary attack.  Aside from the increased CPU utilization which may or may not be related to SP1 and this one application throwing errors under heavy load, I have yet to see any of these other errors with queue manager or Declude. FYI, immediately after upping to SP1 I found that my address validation software was incompatible and needed to be patched to work with SP1 so my server ran at 100% for about 1 hour and the only bad effect in the core processes was a few of these errors with Virus and I suspect double processing as they always seem to happen together. Matt Gufler Markus wrote: FYI: I've running v1.82 on a Win2003 server and since SP1 is installed I've had problems multiple times with the queue manager and also popup messages for declude.exe. One problem could be the new SP1 application execution protection. This problem appears only some days but can also happen multiple times a day. I've removed SP1 and will watch now if it will solve the problem. Markus -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, April 18, 2005 11:12 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Error 183 in Declude Virus and double processing in Declude JunkMail during heavy load I submitted a support ticket this morning about problems I seen under 2.0.6 with high load. This weekend while doing some maintenance I ran into some load issues when I brought one of the servers down I maintain. When I bring one of the servers offline I know the other server will start dropping messages into the overflow directory and it did this. However, after a short period of time I started to see application pop up messages "Declude.exe - Application error: The application failed to initialize properly (0xc0000142)". I ended up having to reboot the box. I thought this was a fluke, but when I did the maintenance on the other server I seen the same problem again on the other mail server. The odd thing about both situations is that I seen hundreds of declude.exe processes when the max under 2.0.6 by default is 25. Again this could be something unique to my servers. Darrell -------------------------------------------------------------- ---------- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Andy Schmidt writes: Hi Matt: While I was beta testing 2.0.6, I was also suffering from some distributed dictionary attacks - and I was scrutinizing the log files much more closely (to look for possible beta errors). I don't know WHICH of these three factors were critical (2.x vs. load vs. level of attention) - but I had detected what sounds like your situation. I noticed Spam and Virus log entries that refererred to file i/o errors and upon closer examination of individual cases, I noticed that apparently the same Q/D files were processed more than once. The developers added log information that tracked the process-id to determine if the problem was a loop in one process or the launching of multiple processed (they were indeed different.) About the same time, they also introduced the new Declude.cfg file that allowed me to manage/limit the number of concurrent Declude processes. After installing new builds AND limiting the number of Declude processes I no longer noticed these errors in the log files. So - I can state that this problem was worked on and even that some code changes were made. But I can't promise with certainty that the problem was fixed with the code changes, or due to the new Declude.cfg option - or if my workload mix simply was sufficiently different. Since then I have been able to block those distributed dictionary attacks in my IIS gateways, so that this factor has been eliminated altogether. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, April 18, 2005 04:10 PM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Error 183 in Declude Virus and double processing in Declude JunkMail during heavy load This is primarily meant for Declude's support, but I am sending it to the list in the event that the broader scrutiny might be beneficial. I'm currently running Declude 1.82 and Windows 2003 SP1. It appears that under heavy load I am seeing errors from both Declude Virus and Declude JunkMail, and it seems possible that while the errors are triggered by the heavy load, the conditions created might be avoidable. It seems likely that either IMail or Declude is producing the problem. I have a client that has a Web server that pumps out about 350 E-mails every night in rapid succession from their Web server. This has been causing issues pretty much every night. Declude Virus throws about a half dozen or so errors during this blast saying "Error 183 creating temp directory [path]", and when this happens, it seems to always do this multiple times for the same file name. Declude JunkMail seems to also double, tipple, quadruple, etc., process the same files when this happens, which is noted in both the logs as well as the headers that it inserts in the E-mail. I sometimes find these multiple-processed files stranded in my spool without a Q file. I'm not sure what conditions associated with the load are causing this, but this can also happen at other times outside of this nightly blast when the CPU's are being pegged. I'm sharing the associated headers and log file entries in the hopes of helping to identify the source of the issue and also potentially resolving it. Here is a copy of each for one such message: HEADERS ================================================================== Received: from mx1.mailpure.com [208.7.179.200] by mail.mailpure.com with ESMTP (SMTPD32-8.15) id A039545F00E0; Thu, 14 Apr 2005 01:31:37 -0400 Received: from DH04 ([###.###.###.###]) by mx1.mailpure.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 14 Apr 2005 01:31:34 -0400 Received: from mail pickup service by DH04 with Microsoft SMTPSVC; Thu, 14 Apr 2005 01:30:49 -0400 From: <mailto:[EMAIL PROTECTED]> <[EMAIL PROTECTED]> To: <mailto:[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Subject: Nightly Email update from [Company Name] Date: Thu, 14 Apr 2005 01:30:49 -0400 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0001_01C54091.8C5A7060" X-Mailer: Microsoft CDO for Windows 2000 Thread-Index: AcVAsxNWnH6Lzk2RRyizH9lhpqD3BQ== Content-Class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-OriginalArrivalTime: 14 Apr 2005 05:30:49.0363 (UTC) FILETIME=[1DD32E30:01C540B3] Return-Path: [EMAIL PROTECTED] X-MailPure: ================================================================ X-MailPure: FORGEDFROM: Message failed FORGEDFROM test (weight 2). X-MailPure: ================================================================ X-MailPure: Spam Score: 2 X-MailPure: Scan Time: 14 Apr 2005 at 01:34:15 -0400 X-MailPure: Spool File: D0039545f00e0819a.SMD X-MailPure: Server Name: DH04 X-MailPure: SMTP Sender: [EMAIL PROTECTED] X-MailPure: Received From: customer-webserver.example.com [###.###.###.###] X-MailPure: Country Chain: UNITED STATES->destination X-MailPure: ================================================================ X-MailPure: Spam and virus blocking services provided by MailPure.com X-MailPure: ================================================================ X-MailPure: ================================================================ X-MailPure: FORGEDFROM: Message failed FORGEDFROM test (weight 2). X-MailPure: ================================================================ X-MailPure: Spam Score: 2 X-MailPure: Scan Time: 14 Apr 2005 at 01:34:15 -0400 X-MailPure: Spool File: D0039545f00e0819a.SMD X-MailPure: Server Name: DH04 X-MailPure: SMTP Sender: [EMAIL PROTECTED] X-MailPure: Received From: customer-webserver.example.com [###.###.###.###] X-MailPure: Country Chain: UNITED STATES->destination X-MailPure: ================================================================ X-MailPure: Spam and virus blocking services provided by MailPure.com X-MailPure: ================================================================ X-MailPure: ================================================================ X-MailPure: FORGEDFROM: Message failed FORGEDFROM test (weight 2). X-MailPure: ================================================================ X-MailPure: Spam Score: 2 X-MailPure: Scan Time: 14 Apr 2005 at 01:34:18 -0400 X-MailPure: Spool File: D0039545f00e0819a.SMD X-MailPure: Server Name: DH04 X-MailPure: SMTP Sender: [EMAIL PROTECTED] X-MailPure: Received From: customer-webserver.example.com [###.###.###.###] X-MailPure: Country Chain: UNITED STATES->destination X-MailPure: ================================================================ X-MailPure: Spam and virus blocking services provided by MailPure.com X-MailPure: ================================================================ X-MailPure: ================================================================ X-MailPure: FORGEDFROM: Message failed FORGEDFROM test (weight 2). X-MailPure: ================================================================ X-MailPure: Spam Score: 2 X-MailPure: Scan Time: 14 Apr 2005 at 01:34:36 -0400 X-MailPure: Spool File: D0039545f00e0819a.SMD X-MailPure: Server Name: DH04 X-MailPure: SMTP Sender: [EMAIL PROTECTED] X-MailPure: Received From: customer-webserver.example.com [###.###.###.###] X-MailPure: Country Chain: UNITED STATES->destination X-MailPure: ================================================================ X-MailPure: Spam and virus blocking services provided by MailPure.com X-MailPure: ================================================================ IMAIL LOG ================================================================== 20050414 013137 127.0.0.1 SMTPD (0039545f00e0819a) [208.7.179.200] connect 208.7.179.200 port 44750 20050414 013137 127.0.0.1 SMTPD (0039545f00e0819a) [208.7.179.200] EHLO mx1.mailpure.com 20050414 013137 127.0.0.1 SMTPD (0039545f00e0819a) [208.7.179.200] MAIL FROM: <mailto:[EMAIL PROTECTED]> <[EMAIL PROTECTED]> 20050414 013137 127.0.0.1 SMTPD (0039545f00e0819a) [208.7.179.200] RCPT TO: <mailto:[EMAIL PROTECTED]> <[EMAIL PROTECTED]> 20050414 013137 127.0.0.1 SMTPD (0039545f00e0819a) [208.7.179.200] F:\\D0039545f00e0819a.SMD 19967 20050414 013415 127.0.0.1 SMTP (0039545f00e0819a) processing F:\\Q0039545f00e0819a.SMD 20050414 013416 127.0.0.1 SMTP (0039545f00e0819a) ldeliver local-domain.example.com user-main (1) [EMAIL PROTECTED] 21513 20050414 013416 127.0.0.1 SMTP (0039545f00e0819a) finished F:\\Q0039545f00e0819a.SMD status=1 DECLUDE VIRUS LOG ================================================================== 04/14/2005 01:33:52 Q0039545f00e0819a Error 183 creating temp directory F:\D0039545f00e0819a.vir\. 04/14/2005 01:33:52 Q0039545f00e0819a Error 183 creating temp directory F:\D0039545f00e0819a.vir\. 04/14/2005 01:33:52 Q0039545f00e0819a Scanned: Error starting scanner 04/14/2005 01:33:52 Q0039545f00e0819a Scanned: Error starting scanner 04/14/2005 01:33:52 Q0039545f00e0819a MIME file: [text/html][quoted-printable; Length=12426 Checksum=1007169] 04/14/2005 01:33:53 Q0039545f00e0819a Scanned: Virus Free [Prescan OK][MIME: 2 17782] 04/14/2005 01:34:15 Q0039545f00e0819a MIME file: [text/html][quoted-printable; Length=12426 Checksum=1007169] 04/14/2005 01:34:15 Q0039545f00e0819a Scanned: Virus Free [Prescan OK][MIME: 2 17782] DECLUDE JUNKMAIL LOG ================================================================== 04/14/2005 01:34:14 Q0039545f00e0819a FORGEDFROM:2 . Total weight = 2. 04/14/2005 01:34:15 Q0039545f00e0819a FORGEDFROM:2 . Total weight = 2. 04/14/2005 01:34:15 Q0039545f00e0819a L1 Message OK 04/14/2005 01:34:15 Q0039545f00e0819a Subject: Nightly Email update from [Company Name] 04/14/2005 01:34:15 Q0039545f00e0819a From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: ###.###.###.### ID: 04/14/2005 01:34:15 Q0039545f00e0819a Tests failed [weight=2]: CATCHALLMAILS=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE SIZE-S=IGNORE BASE64-ANTI=IGNORE FORGEDFROM=WARN PASSED=IGNORE 04/14/2005 01:34:15 Q0039545f00e0819a Last action = "" 04/14/2005 01:34:15 Q0039545f00e0819a L1 Message OK 04/14/2005 01:34:15 Q0039545f00e0819a Subject: Nightly Email update from [Company Name] 04/14/2005 01:34:15 Q0039545f00e0819a From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: ###.###.###.### ID: 04/14/2005 01:34:15 Q0039545f00e0819a Tests failed [weight=2]: CATCHALLMAILS=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE SIZE-S=IGNORE BASE64-ANTI=IGNORE FORGEDFROM=WARN PASSED=IGNORE 04/14/2005 01:34:15 Q0039545f00e0819a Last action = "" 04/14/2005 01:34:18 Q0039545f00e0819a FORGEDFROM:2 . Total weight = 2. 04/14/2005 01:34:18 Q0039545f00e0819a L1 Message OK 04/14/2005 01:34:18 Q0039545f00e0819a Subject: Nightly Email update from [Company Name] 04/14/2005 01:34:18 Q0039545f00e0819a From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: ###.###.###.### ID: 04/14/2005 01:34:18 Q0039545f00e0819a Tests failed [weight=2]: CATCHALLMAILS=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE SIZE-S=IGNORE BASE64-ANTI=IGNORE FORGEDFROM=WARN PASSED=IGNORE 04/14/2005 01:34:18 Q0039545f00e0819a Last action = "" 04/14/2005 01:34:36 Q0039545f00e0819a FORGEDFROM:2 . Total weight = 2. 04/14/2005 01:34:36 Q0039545f00e0819a L1 Message OK 04/14/2005 01:34:36 Q0039545f00e0819a Subject: Nightly Email update from [Company Name] 04/14/2005 01:34:36 Q0039545f00e0819a From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] IP: ###.###.###.### ID: 04/14/2005 01:34:36 Q0039545f00e0819a Tests failed [weight=2]: CATCHALLMAILS=WARN IPNOTINMX=IGNORE NOLEGITCONTENT=IGNORE SIZE-S=IGNORE BASE64-ANTI=IGNORE FORGEDFROM=WARN PASSED=IGNORE 04/14/2005 01:34:36 Q0039545f00e0819a Last action = "" Thanks, Matt -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================