RE: [Declude.Virus] w32/Sober.O virus

[Panda Consulting S.A. Luis Alberto Arango]

Thanks Matt, I implemented the Viruscode 8.   Yesterday I was still having over 3000 emails in the overflow folder.   I had to do some tasks to manage things, even though my client was fixing their machines at their end.   I Created a kill list in Imail with the most common from addresses the virus/emails where using.-Hostmaster at hotmail.com for example-.   I updated rules.ima in my clients domains deleting emails with particular subjects or having particular attachments (Sober.O subjects and attachments)   Just in case, I used the banname feature –Declude- to make sure the Sober attachments were deleted.   I also took my chances incrementing Declude processes in small numbers and got to 50. server behaved very well and overflow folder started to decrease in terms of the amount of emails.   Today was a very smooth day. Now I am just thinking about something that is knocking in my head: I manage 25K emails per day, 200 + domains and 3500 users. It is not a big installation compared with what I have read on Imail and Declude lists. But what worries me is that my server/imail/declude box was overflowed with 3000 emails, so I don’t get the picture of how we can handle 100K emails per day with 500 domains and 12K users. My server is a Xeon 2.4 Ghz with 1 gig in RAM –W2K-. should I need a better and more powerful server?   PD: By the way, what about changing to Smartmail, does Smartmail handle my load without problems?   Regards             -Luis Arango   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Miércoles, 04 de Mayo de 2005 12:05 a.m. To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] w32/Sober.O virus   Luis, If you are seeing 100% CPU utilization and timeouts in your Declude Virus log, you would be best served by reducing the number of simultaneous processes instead of increasing them.  If you increase them, you run the risk of causing more timeouts. Your F-Prot config looks to be normal, but you need to add the following line in order to stop some recent viruses that F-Prot is returning a code 8 when detected:     VIRUSCODE1   8 Considering that you attributed 80% to just one client, and it appears that they had a big infection, that would explain why you are seeing this sort of traffic but others like myself are not.  Seems like you have a good handle on things now. Good luck, Matt Panda Consulting S.A. Luis Alberto Arango wrote: Matt and Dave: First of all thank you very much for answering my post.   I am using fpcmd.exe   Here is my config lines, in case I am missing some important switch. SCANFILE1  D:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 REPORT1    Infection:     Any way, I already contacted one of my clients who's IP is sending lots and lots of emails with virus to our mail server. I believe they are sending probably 80% of the virus I am getting.   He confirmed that they were infected and that they are running a clean up task. They have over 600 computers so it takes quite some time to make sure they are all clean.   I am also narrowing other IPs to contact the owners.   Besides, Declude is running 25 simultaneously -default-. If tomorrow I get overflow messages I will increase the number of processes in the declude.cfg file to see if that improves the delivery. I just have to make sure I don't crash the server. I may also increase the number of Imail threads to 40 or 50   By the way I found interesting and useful support text regarding delayed delivery here http://www.declude.com/help_answer.asp?ID=122   -Imail's SMTP Sending Architecture-   Again thanks for your help          -Luis Arango     -----Original Message-----From: [EMAIL PROTECTED] [mailto:Declude.Virus-[EMAIL PROTECTED]] On Behalf Of MattSent: Martes, 03 de Mayo de 2005 09:07 p.m.To: Declude.Virus@declude.comSubject: Re: [Declude.Virus] w32/Sober.O virus If you aren't running fpcmd.exe as Dave suggested, that would definitelybe the first place to start.  You need to purchase F-Prot instead ofusing the free DOS scanner to get fpcmd.exe. This is not normal behavior for Sober, but I have seen some viruses getreally bursty.  For instance, one client that has a massive newsletterwould get hammered by viruses because of harvesting of their addressesfrom the newsletter.  Some viruses also can hammer you with huge volumefrom a single computer.  You might want to look at the IP's that aresending the viruses and see if these can be narrowed down to just a fewcomputers for the bulk of the messages. Aside from that, Declude JunkMail is generally leaner than DecludeVirus, and you might get a boost by having Declude JunkMail run first,where many of the viruses would be blocked and then wouldn't need to bevirus scanned.  You would need to be deleting the spams for them to notget scanned by Declude Virus however, maybe Hold also prevents it, butI'm pretty sure that the other actions will still result in them beingvirus scanned under this alternative configuration.  This is also muchmore beneficial when you run multiple virus scanners since more CPU canbe saved this way.  F-Prot is generally very efficient. Matt   Panda Consulting S.A. Luis Alberto Arango wrote:     FYI:Today we were flooded with a massive incoming emails containing Sober.O(f-prot) virus. We receive aprox 15% of viruses out of all the emails we process. Today      the    figure raised to almost 40%. It fulfilled the overflow folder and there were delays of about 2 to 5      hours    to deliver non-virus emails We received the first email with virus at 12 (noon) may 2. Our f-protsignature files were not updated -we update every 4 hours- and we let 27emails with viruses passed through. There was nothing we could do about      it.    The virus was discovered the same day by Symantec, F-prot and others. Our F-prot received signature files at 1:30 pm and from that time on we      have    catched about 9000 emails out 30,000 The folder is full with 3000 emails and is not able to be handled as fast      as    we would want with declude/f-prot. Q:Is there something we can do to avoid such delays delivering emails otherthan use Imail Kill list, catching the computers delivering the viruses      and    moving to a strongest server. Bye  -Luis Arango   ______[Email scanned for viruses by Panda Consulting -www.pandacons.com-][Email escaneado contra virus por Panda Consulting -www.pandacons.com-] ---This E-mail came from the Declude.Virus mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".    The archives can be foundat http://www.mail-archive.com.          --=====================================================MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/===================================================== ---This E-mail came from the Declude.Virus mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".    The archives can be foundat http://www.mail-archive.com.______[Email scanned for viruses by Panda Consulting -www.pandacons.com-][Email escaneado contra virus por Panda Consulting -www.pandacons.com-]      ______[Email scanned for viruses by Panda Consulting -www.pandacons.com-][Email escaneado contra virus por Panda Consulting -www.pandacons.com-] ---This E-mail came from the Declude.Virus mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.Virus".    The archives can be foundat http://www.mail-archive.com.    -- =====================================================MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=====================================================