date:20040908

RE: [Declude.JunkMail] SURBL issue

2004-09-08 Thread Darrell LaRock

Scott,

What version of the script are you using?  I just checked mine and it is
giving me the same thing on both of my servers.  I have surbl_filter.cmd
version 1.1

Tue 09/07/2004  1:23a Update successful [976 entries]
Tue 09/07/2004  1:53a Update failed [conversion error]

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Tuesday, September 07, 2004 5:46 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SURBL issue

It's working ok here just tried 2 minutes ago:
Tue 09/07/2004  4:41p Update successful [983 entries]

If it was a one time only thing, maybe you caught a bad download or there
was something bad in the zone.

A conversion error implies something wrong here:
rem --- Convert line breaks from LF to CRLF (or exit if conversion failed):
---
if exist todos.exe todos surbl.rbldns.tmp
for /f tokens=* %%c in ('findstr /r $ surbl.rbldns.tmp') do set
v_result=ok
if not %v_result%==ok (set v_result=conversion error)  (goto :s_end)


Scott Fisher
Director of IT
Farm Progress Companies

 [EMAIL PROTECTED] 09/07/04 04:35PM 
My surbl setup has been running fine up till 1:00 am this morning
 
my setup is:
 
SURBL   filter   d:\IMail\Declude\surbl\surbl.txt  x  20 0
 
In the log file I now get:
 
Tue 09/07/2004  5:15p Update failed [conversion error]
 
Nothing has changed in my setup and the log file has successful entries for
a very long time until now
 
Anyone have any ideas?
 
thank you
 

Harry Vanderzand 
inTown Internet  Computer Services 
11 Belmont Ave. W.
Kitchener, ON
N2M 1L2
519-741-1222
Did you know we offer: 
- Province wide dial-up and high speed internet access 
- Web accessible email with anti-spam\antivirus protection
- Computer hardware sales and service
- Experienced website developers 




---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SURBL issue

2004-09-08 Thread Darrell LaRock

OK, after some digging I found this

--09:46:15--  http://www.surbl.org/sc.surbl.org.rbldns
   = `surbl.rbldns.tmp'
Resolving www.surbl.org... done.
Connecting to www.surbl.org[66.170.2.60]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
09:46:15 ERROR 404: Not Found.

After checking the SURBL site I found this under the news section
*.rbldns - going away when no traffic, use *.rbldnsd instead

In the script find the line 
set v_url=http://www.surbl.org/sc.surbl.org.rbldns

and change it to 
set v_url=http://www.surbl.org/sc.surbl.org.rbldnsd

It now works again.

Darrell


-Original Message-
From: Darrell LaRock [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, September 08, 2004 9:38 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [Declude.JunkMail] SURBL issue

Scott,

What version of the script are you using?  I just checked mine and it is
giving me the same thing on both of my servers.  I have surbl_filter.cmd
version 1.1

Tue 09/07/2004  1:23a Update successful [976 entries]
Tue 09/07/2004  1:53a Update failed [conversion error]

Darrell

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Tuesday, September 07, 2004 5:46 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SURBL issue

It's working ok here just tried 2 minutes ago:
Tue 09/07/2004  4:41p Update successful [983 entries]

If it was a one time only thing, maybe you caught a bad download or there
was something bad in the zone.

A conversion error implies something wrong here:
rem --- Convert line breaks from LF to CRLF (or exit if conversion failed):
---
if exist todos.exe todos surbl.rbldns.tmp
for /f tokens=* %%c in ('findstr /r $ surbl.rbldns.tmp') do set
v_result=ok
if not %v_result%==ok (set v_result=conversion error)  (goto :s_end)


Scott Fisher
Director of IT
Farm Progress Companies

 [EMAIL PROTECTED] 09/07/04 04:35PM 
My surbl setup has been running fine up till 1:00 am this morning
 
my setup is:
 
SURBL   filter   d:\IMail\Declude\surbl\surbl.txt  x  20 0
 
In the log file I now get:
 
Tue 09/07/2004  5:15p Update failed [conversion error]
 
Nothing has changed in my setup and the log file has successful entries for
a very long time until now
 
Anyone have any ideas?
 
thank you
 

Harry Vanderzand 
inTown Internet  Computer Services 
11 Belmont Ave. W.
Kitchener, ON
N2M 1L2
519-741-1222
Did you know we offer: 
- Province wide dial-up and high speed internet access 
- Web accessible email with anti-spam\antivirus protection
- Computer hardware sales and service
- Experienced website developers 




---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] SURBL issue

2004-09-08 Thread Dave Doherty

I have the same problem. The log shows consistently successful updates from 
June 15 until yesterday morning, and nothing but failures since. I have made 
no changes to my setup.

Mon 09/06/2004  12:00a Update successful [975 entries]
Mon 09/06/2004  6:00a Update successful [979 entries]
Mon 09/06/2004  12:00p Update successful [983 entries]
Mon 09/06/2004  6:00p Update successful [981 entries]
Tue 09/07/2004  12:00a Update successful [974 entries]
Tue 09/07/2004  6:00a Update failed [conversion error]
Tue 09/07/2004  12:00p Update failed [conversion error]
Tue 09/07/2004  6:00p Update failed [conversion error]
Wed 09/08/2004  12:00a Update failed [conversion error]
Wed 09/08/2004  6:00a Update failed [conversion error]
-Dave Doherty
Skywaves, Inc.
- Original Message - 
From: Darrell LaRock [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, September 08, 2004 9:38 AM
Subject: RE: [Declude.JunkMail] SURBL issue


Scott,
What version of the script are you using?  I just checked mine and it is
giving me the same thing on both of my servers.  I have surbl_filter.cmd
version 1.1
Tue 09/07/2004  1:23a Update successful [976 entries]
Tue 09/07/2004  1:53a Update failed [conversion error]
Darrell
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Tuesday, September 07, 2004 5:46 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] SURBL issue
It's working ok here just tried 2 minutes ago:
Tue 09/07/2004  4:41p Update successful [983 entries]
If it was a one time only thing, maybe you caught a bad download or there
was something bad in the zone.
A conversion error implies something wrong here:
rem --- Convert line breaks from LF to CRLF (or exit if conversion 
failed):
---
if exist todos.exe todos surbl.rbldns.tmp
for /f tokens=* %%c in ('findstr /r $ surbl.rbldns.tmp') do set
v_result=ok
if not %v_result%==ok (set v_result=conversion error)  (goto :s_end)

Scott Fisher
Director of IT
Farm Progress Companies
[EMAIL PROTECTED] 09/07/04 04:35PM 
My surbl setup has been running fine up till 1:00 am this morning
my setup is:
SURBL   filter   d:\IMail\Declude\surbl\surbl.txt  x  20 0
In the log file I now get:
Tue 09/07/2004  5:15p Update failed [conversion error]
Nothing has changed in my setup and the log file has successful entries 
for
a very long time until now

Anyone have any ideas?
thank you
Harry Vanderzand
inTown Internet  Computer Services
11 Belmont Ave. W.
Kitchener, ON
N2M 1L2
519-741-1222
Did you know we offer:
- Province wide dial-up and high speed internet access
- Web accessible email with anti-spam\antivirus protection
- Computer hardware sales and service
- Experienced website developers

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] SURBL issue

2004-09-08 Thread Markus Gufler

I can't see such errors on my server (european date format, GMT+1)

Di 07.09.2004  6:02:01,50 Update successful [974 entries]
Di 07.09.2004  9:02:01,79 Update successful [974 entries]
Di 07.09.2004 12:02:01,78 Update successful [967 entries]
Di 07.09.2004 15:02:03,62 Update successful [968 entries]
Di 07.09.2004 18:02:06,89 Update successful [975 entries]
Di 07.09.2004 21:02:01,45 Update successful [976 entries]
Mi 08.09.2004  3:02:02,76 Update successful [981 entries]
Mi 08.09.2004  6:02:01,54 Update successful [990 entries]
Mi 08.09.2004  9:02:01,46 Update successful [991 entries]
Mi 08.09.2004 12:02:02,60 Update successful [997 entries]
Mi 08.09.2004 15:02:02,85 Update successful [1001 entries]


Markus


 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty
 Sent: Wednesday, September 08, 2004 3:51 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] SURBL issue
 
 I have the same problem. The log shows consistently 
 successful updates from June 15 until yesterday morning, and 
 nothing but failures since. I have made no changes to my setup.
 
 Mon 09/06/2004  12:00a Update successful [975 entries] Mon 
 09/06/2004  6:00a Update successful [979 entries] Mon 
 09/06/2004  12:00p Update successful [983 entries] Mon 
 09/06/2004  6:00p Update successful [981 entries] Tue 
 09/07/2004  12:00a Update successful [974 entries] Tue 
 09/07/2004  6:00a Update failed [conversion error] Tue 
 09/07/2004  12:00p Update failed [conversion error] Tue 
 09/07/2004  6:00p Update failed [conversion error] Wed 
 09/08/2004  12:00a Update failed [conversion error] Wed 
 09/08/2004  6:00a Update failed [conversion error]
 
 -Dave Doherty
  Skywaves, Inc.
 
 
 - Original Message -
 From: Darrell LaRock [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Wednesday, September 08, 2004 9:38 AM
 Subject: RE: [Declude.JunkMail] SURBL issue
 
 
  Scott,
 
  What version of the script are you using?  I just checked 
 mine and it is
  giving me the same thing on both of my servers.  I have 
 surbl_filter.cmd
  version 1.1
 
  Tue 09/07/2004  1:23a Update successful [976 entries]
  Tue 09/07/2004  1:53a Update failed [conversion error]
 
  Darrell
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of 
 Scott Fisher
  Sent: Tuesday, September 07, 2004 5:46 PM
  To: [EMAIL PROTECTED]
  Subject: Re: [Declude.JunkMail] SURBL issue
 
  It's working ok here just tried 2 minutes ago:
  Tue 09/07/2004  4:41p Update successful [983 entries]
 
  If it was a one time only thing, maybe you caught a bad 
 download or there
  was something bad in the zone.
 
  A conversion error implies something wrong here:
  rem --- Convert line breaks from LF to CRLF (or exit if conversion 
  failed):
  ---
  if exist todos.exe todos surbl.rbldns.tmp
  for /f tokens=* %%c in ('findstr /r $ surbl.rbldns.tmp') do set
  v_result=ok
  if not %v_result%==ok (set v_result=conversion error)  
 (goto :s_end)
 
 
  Scott Fisher
  Director of IT
  Farm Progress Companies
 
  [EMAIL PROTECTED] 09/07/04 04:35PM 
  My surbl setup has been running fine up till 1:00 am this morning
 
  my setup is:
 
  SURBL   filter   d:\IMail\Declude\surbl\surbl.txt  x  20 0
 
  In the log file I now get:
 
  Tue 09/07/2004  5:15p Update failed [conversion error]
 
  Nothing has changed in my setup and the log file has 
 successful entries 
  for
  a very long time until now
 
  Anyone have any ideas?
 
  thank you
 
 
  Harry Vanderzand
  inTown Internet  Computer Services
  11 Belmont Ave. W.
  Kitchener, ON
  N2M 1L2
  519-741-1222
  Did you know we offer:
  - Province wide dial-up and high speed internet access
  - Web accessible email with anti-spam\antivirus protection
  - Computer hardware sales and service
  - Experienced website developers
 
 
 
 
  ---
  [This E-mail was scanned for viruses by Declude Virus
  (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.JunkMail.  The archives can be found
  at http://www.mail-archive.com.
 
  ---
  [This E-mail was scanned for viruses by Declude Virus 
  (http://www.declude.com)]
 
  ---
  This E-mail came from the Declude.JunkMail mailing list.  To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type unsubscribe Declude.JunkMail.  The archives can be found
  at http://www.mail-archive.com.
  
 
 
 ---
 [This E-mail was scanned for viruses by Declude Virus 
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.
 

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an

[Declude.JunkMail] Test needed along with sniffer

2004-09-08 Thread Harry Vanderzand

I am testing sniffer right now and wonder if I need to run all the other
tests along side it.

I am trying to reduce my daily workload of analyzing the spamtrap and hope
that sniffer and surbl will do this.

Do I even need surbl?

Any advice in this matter would be greatly appreciated.

Thanks in advance 

Harry Vanderzand 
inTown Internet  Computer Services 


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Test needed along with sniffer

2004-09-08 Thread Markus Gufler


 I am testing sniffer right now and wonder if I need to run 
 all the other tests along side it.
 
 I am trying to reduce my daily workload of analyzing the 
 spamtrap and hope that sniffer and surbl will do this.
 
 Do I even need surbl?

Do you have so much workload on your mailserver that you need to downsize
your spam-filter to one or two tests?

Maybe http://www2.spamchk.com/public.htm will give you some answer.

Markus


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Test needed along with sniffer

2004-09-08 Thread Harry Vanderzand

I am getting service timeouts due mostly to all the declude instances of
traffic volume

I handle about 2 messages a day, most of them during business hours

I find that I accumulate declude processes that have consumed up to a minute
of cpu time only to be idle and just sit there

This also causes accumulated memory to be consumed

I have been rebooting this server about twice a week

I have also been spending time everyday adding to my filter files 

The server is a dual Xeon 2.4Ghz, 533 frontside bus with an Intel SATA raid
card running Raid 10

It has about 100 small web site that do not get much traffic

My goal is to reduce management time of the machine and to stabilize it so
the need to reboot it is lessened

I am prepared to put in a dual Xeon 3.4GH, etc but also want to make sure
that I do not overkill

Harry Vanderzand 
inTown Internet  Computer Services 
11 Belmont Ave. W.
Kitchener, ON
N2M 1L2
519-741-1222
Did you know we offer: 
- Province wide dial-up and high speed internet access 
- Web accessible email with anti-spam\antivirus protection
- Computer hardware sales and service
- Experienced website developers 



 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler
 Sent: Wednesday, September 08, 2004 11:22 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [Declude.JunkMail] Test needed along with sniffer
 
 
 
  I am testing sniffer right now and wonder if I need to run
  all the other tests along side it.
  
  I am trying to reduce my daily workload of analyzing the
  spamtrap and hope that sniffer and surbl will do this.
  
  Do I even need surbl?
 
 Do you have so much workload on your mailserver that you need 
 to downsize your spam-filter to one or two tests?
 
 Maybe http://www2.spamchk.com/public.htm will give you some answer.
 
 Markus
 
 
 ---
 [This E-mail was scanned for viruses by Declude Virus 
 (http://www.declude.com)]
 
 ---
 This E-mail came from the Declude.JunkMail mailing list.  To 
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
 type unsubscribe Declude.JunkMail.  The archives can be 
 found at http://www.mail-archive.com.
 
 


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Test needed along with sniffer

2004-09-08 Thread Scott Fisher

Sniffer is very good. It detected 47600 out of 49250 spam messages for me through Sept 
1-5.

The SURBL filter contains a lot of body filters and can be CPU intensive.



Scott Fisher
Director of IT
Farm Progress Companies

 [EMAIL PROTECTED] 09/08/04 10:13AM 
I am testing sniffer right now and wonder if I need to run all the other
tests along side it.

I am trying to reduce my daily workload of analyzing the spamtrap and hope
that sniffer and surbl will do this.

Do I even need surbl?

Any advice in this matter would be greatly appreciated.

Thanks in advance 

Harry Vanderzand 
inTown Internet  Computer Services 


---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Test needed along with sniffer

2004-09-08 Thread Pete McNeil

On Wednesday, September 8, 2004, 11:13:18 AM, Harry wrote:

HV I am testing sniffer right now and wonder if I need to run all the other
HV tests along side it.

Well, you can probably get by without the other tests, but since
you have Declude it would be MUCH better if you keep the other tests
in place. Declude's strength is that it allows you to aggregate a
variety of tests for greater accuracy. Sniffer is very, very good, but
you will certainly see some benefit by using it along with other
tests.

HV I am trying to reduce my daily workload of analyzing the spamtrap and hope
HV that sniffer and surbl will do this.

Sniffer is perfect for that - particularly if you share your spamtrap
data with us. Put another way, if you allow us to use your spamtrap
then we will be taking over this work for you. All we need is POP3
account information and some details on how your spamtrap was formed
so that we can properly classify it in our SPHUD (Spam Processing Heads Up
Display).

HV Do I even need surbl?

Probably not. One of the AI elements in our robots crossreferences
incoming spamtrap data with SURBL and other tests. More often than not
we have the domain tagged before we see it in SURBL, and if we don't
we grab it quickly.

HV Any advice in this matter would be greatly appreciated.

I recommend reviewing the Spam Test Quality Analysis:

http://www2.spamchk.com/public.html

You can use this to help tune your Declude configuration. I recommend
applying the forumula:

W = (a^2)100

Where (W) is the individual test weight (magnitude) based on test
accuracy and (a) is the accuracy measured in the analysis (SA =
spam-test accuracy, HA = ham-test accuracy). [ Regarding (magnitude),
ham tests generate negative weights and spam tests generate positive
weights. W will always be a positive value, so if you use an HA value
for (a) then you will want to apply a negative W as your weight in
Declude. ]

For example,

  SNIFFER SA = 0.95, so W = ((0.95)^2)*100 = 90.25, Weight = 90.

  FIVETEN-SRC SA = 0.59, so W = ((0.59)^2)*100 = 34.81, Weight = 35.

  NOLEGITCONTENT HA=0.38, so
W = ((0.38)^2)*100 = 14.44, Weight = -14

-- This test is measured when the test does not fail, so -14
   must go in second weight column, not the first.

If you use this analysis you should have your hold weight at or
about 100. If you set your hold weight lower than 100, you will
capture more spam at the risk of more false positives. If you set your
hold weight higher than 100 you will have fewer false positives and
more spam.

!! This is research in progress - these formulas appear to work very
well in preliminary testing. If you are already happy with your
weighting system then you should probably stick with that until this
theory has been tested further. !!
   
We are developing a utility to do this work automatically.
In the mean time, you can go through your test weights manually.
You shouldn't have to do this frequently.

Hope this helps,
_M



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Test needed along with sniffer

2004-09-08 Thread Matt





Harry,

Sniffer is a great addition to any Declude setup, however your issues
are not due to just simply the size of your processors. We run a dual
1 GHz PIII system with RAID 5 and 5x10K Cheetahs, and we've managed to
exceed 90,000 messages a day with dual virus scanners, and we could
handle a bit more still. My thought is that you are either running a
ton of BODY filters, a very slow virus scanner/scanners, or you are
experiencing some form of I/O limitation. The idle processes also
suggest that maybe there is an issue and an upgrade to a more recent
version of Declude such as 1.79 or an interim release thereafter would
be a good idea and most around here run them.

You should be able to minimally do 10 times your current volume, so
keep looking and keep describing your environment and a solution will
likely come along.

Matt



Harry Vanderzand wrote:

  I am getting service timeouts due mostly to all the declude instances of
traffic volume

I handle about 2 messages a day, most of them during business hours

I find that I accumulate declude processes that have consumed up to a minute
of cpu time only to be idle and just sit there

This also causes accumulated memory to be consumed

I have been rebooting this server about twice a week

I have also been spending time everyday adding to my filter files 

The server is a dual Xeon 2.4Ghz, 533 frontside bus with an Intel SATA raid
card running Raid 10

It has about 100 small web site that do not get much traffic

My goal is to reduce management time of the machine and to stabilize it so
the need to reboot it is lessened

I am prepared to put in a dual Xeon 3.4GH, etc but also want to make sure
that I do not overkill

Harry Vanderzand 
inTown Internet  Computer Services 
11 Belmont Ave. W.
Kitchener, ON
N2M 1L2
519-741-1222
Did you know we offer: 
- Province wide dial-up and high speed internet access 
- Web accessible email with anti-spam\antivirus protection
- Computer hardware sales and service
- Experienced website developers 



  
  
-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler
Sent: Wednesday, September 08, 2004 11:22 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Test needed along with sniffer





  I am testing sniffer right now and wonder if I need to run
all the other tests along side it.

I am trying to reduce my daily workload of analyzing the
"spamtrap" and hope that sniffer and surbl will do this.

Do I even need surbl?
  

Do you have so much workload on your mailserver that you need 
to downsize your spam-filter to one or two tests?

Maybe http://www2.spamchk.com/public.htm will give you some answer.

Markus


---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To 
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
type "unsubscribe Declude.JunkMail".  The archives can be 
found at http://www.mail-archive.com.



  
  

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] Test needed along with sniffer

2004-09-08 Thread support

Harry, 

We have a utility to let you know how well a specific test does in our log 
parser (DLAnalyzer).  The test is called the Test Breakdown Summary 
Report.  Essentially you can pick a certain test(s) and see which other 
tests fail along with them.  This report has helped us eliminate tests that 
performed the same as other tests. 

For example you can configure the report to summarize messages that failed 
Sniffer.  It will than show you what other tests failed on messages that 
also failed Sniffer.  You can get more granular by even excluding tests.  
For example: Show me which tests were triggered in conjunction with Sniffer, 
but did not fail XBL. 

Below is the link for a sample output from this report.
http://www.invariantsystems.com/dlanalyzer/testsamples/TestSummaryBreakdownR 
eport.html 

In the above report you can see that out of all messages that failed the 
weight30 test 85% of them also failed SPAMCOP and 63% failed XBL.. 

Darrell 


Check out http://www.invariantsystems.com for utilities for Declude And 
Imail.  IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log 
Parsers. 

Harry Vanderzand writes: 

I am testing sniffer right now and wonder if I need to run all the other
tests along side it. 

I am trying to reduce my daily workload of analyzing the spamtrap and hope
that sniffer and surbl will do this. 

Do I even need surbl? 

Any advice in this matter would be greatly appreciated. 

Thanks in advance  

Harry Vanderzand 
inTown Internet  Computer Services  

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Test needed along with sniffer

2004-09-08 Thread Harry Vanderzand

Title: Message



thank 
you Matt,

I am 
running 179i16 so I may have another issue at hand 
here

I have 
42k myfilter file with every entry set to anywhere which essentially does a 
similar thing that surbl is doing. I mine the web info from them manually 
everyday.

I do 
it on my own account as my account attracts a tremendous amount of spam I guess 
because it has been around for 10 years. Whatever gets through to it after 
declude has been going into my filter file

I have 
surbl running with its 35k file

I have 
today eliminated my filter file and will likely eliminate surbl once I get the 
full version of sniffer going. So far I see no more going through as it is 
likely that surbl has been better at that process than me. 


I am 
starting to realize that these body filters are expensive in cpu 
cycles

I will 
share what I learn from all this

I 
appreciate your assistance. 
Harry Vanderzand inTown Internet  Computer Services 11 Belmont Ave. W.Kitchener, ONN2M 1L2519-741-1222Did you know we offer: - Province wide dial-up and high 
speed internet access - Web accessible email with anti-spam\antivirus 
protection- Computer hardware sales and service- Experienced website 
developers 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of MattSent: Wednesday, September 08, 2004 3:56 
  PMTo: [EMAIL PROTECTED]Subject: Re: 
  [Declude.JunkMail] Test needed along with 
  snifferHarry,Sniffer is a great addition to any 
  Declude setup, however your issues are not due to just simply the size of your 
  processors. We run a dual 1 GHz PIII system with RAID 5 and 5x10K 
  Cheetahs, and we've managed to exceed 90,000 messages a day with dual virus 
  scanners, and we could handle a bit more still. My thought is that you 
  are either running a ton of BODY filters, a very slow virus scanner/scanners, 
  or you are experiencing some form of I/O limitation. The idle processes 
  also suggest that maybe there is an issue and an upgrade to a more recent 
  version of Declude such as 1.79 or an interim release thereafter would be a 
  good idea and most around here run them.You should be able to 
  minimally do 10 times your current volume, so keep looking and keep describing 
  your environment and a solution will likely come 
  along.MattHarry Vanderzand wrote:
  I am getting service timeouts due mostly to all the declude instances of
traffic volume

I handle about 2 messages a day, most of them during business hours

I find that I accumulate declude processes that have consumed up to a minute
of cpu time only to be idle and just sit there

This also causes accumulated memory to be consumed

I have been rebooting this server about twice a week

I have also been spending time everyday adding to my filter files 

The server is a dual Xeon 2.4Ghz, 533 frontside bus with an Intel SATA raid
card running Raid 10

It has about 100 small web site that do not get much traffic

My goal is to reduce management time of the machine and to stabilize it so
the need to reboot it is lessened

I am prepared to put in a dual Xeon 3.4GH, etc but also want to make sure
that I do not overkill

Harry Vanderzand 
inTown Internet  Computer Services 
11 Belmont Ave. W.
Kitchener, ON
N2M 1L2
519-741-1222
Did you know we offer: 
- Province wide dial-up and high speed internet access 
- Web accessible email with anti-spam\antivirus protection
- Computer hardware sales and service
- Experienced website developers 



  
-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Markus Gufler
Sent: Wednesday, September 08, 2004 11:22 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] Test needed along with sniffer




  I am testing sniffer right now and wonder if I need to run
all the other tests along side it.

I am trying to reduce my daily workload of analyzing the
"spamtrap" and hope that sniffer and surbl will do this.

Do I even need surbl?
  Do you have so much workload on your mailserver that you need 
to downsize your spam-filter to one or two tests?

Maybe http://www2.spamchk.com/public.htm will give you some answer.

Markus


---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To 
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
type "unsubscribe Declude.JunkMail".  The archives can be 
found at http://www.mail-archive.com.




---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  -- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/

RE: [Declude.JunkMail] Test needed along with sniffer

2004-09-08 Thread Harry Vanderzand

Thank you very much.

I will absorb this and share what I learn

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
 Sent: Wednesday, September 08, 2004 2:00 PM
 To: Harry Vanderzand
 Cc: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] Test needed along with sniffer

 On Wednesday, September 8, 2004, 11:13:18 AM, Harry wrote:

 HV I am testing sniffer right now and wonder if I need to 
 run all the 
 HV other tests along side it.

 Well, you can probably get by without the other tests, but 
 since you have Declude it would be MUCH better if you keep 
 the other tests in place. Declude's strength is that it 
 allows you to aggregate a variety of tests for greater 
 accuracy. Sniffer is very, very good, but you will certainly 
 see some benefit by using it along with other tests.

 HV I am trying to reduce my daily workload of analyzing the 
 spamtrap 
 HV and hope that sniffer and surbl will do this.

 Sniffer is perfect for that - particularly if you share your 
 spamtrap data with us. Put another way, if you allow us to 
 use your spamtrap then we will be taking over this work for 
 you. All we need is POP3 account information and some details 
 on how your spamtrap was formed so that we can properly 
 classify it in our SPHUD (Spam Processing Heads Up Display).

 HV Do I even need surbl?

 Probably not. One of the AI elements in our robots 
 crossreferences incoming spamtrap data with SURBL and other 
 tests. More often than not we have the domain tagged before 
 we see it in SURBL, and if we don't we grab it quickly.

 HV Any advice in this matter would be greatly appreciated.

 I recommend reviewing the Spam Test Quality Analysis:

 http://www2.spamchk.com/public.html

 You can use this to help tune your Declude configuration. I 
 recommend applying the forumula:

 W = (a^2)100

 Where (W) is the individual test weight (magnitude) based on 
 test accuracy and (a) is the accuracy measured in the 
 analysis (SA = spam-test accuracy, HA = ham-test accuracy). [ 
 Regarding (magnitude), ham tests generate negative weights 
 and spam tests generate positive weights. W will always be a 
 positive value, so if you use an HA value for (a) then you 
 will want to apply a negative W as your weight in Declude. ]

 For example,

   SNIFFER SA = 0.95, so W = ((0.95)^2)*100 = 90.25, Weight = 90.

   FIVETEN-SRC SA = 0.59, so W = ((0.59)^2)*100 = 34.81, Weight = 35.

   NOLEGITCONTENT HA=0.38, so
 W = ((0.38)^2)*100 = 14.44, Weight = -14

 -- This test is measured when the test does not fail, so -14
must go in second weight column, not the first.

 If you use this analysis you should have your hold weight 
 at or about 100. If you set your hold weight lower than 100, 
 you will capture more spam at the risk of more false 
 positives. If you set your hold weight higher than 100 you 
 will have fewer false positives and more spam.

 !! This is research in progress - these formulas appear to 
 work very well in preliminary testing. If you are already 
 happy with your weighting system then you should probably 
 stick with that until this theory has been tested further. !!

 We are developing a utility to do this work automatically.
 In the mean time, you can go through your test weights 
 manually. You shouldn't have to do this frequently.

 Hope this helps,
 _M

 ---
 [This E-mail was scanned for viruses by Declude Virus 
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To 
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
 type unsubscribe Declude.JunkMail.  The archives can be 
 found at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Test needed along with sniffer

2004-09-08 Thread Harry Vanderzand

Thank you, I will try the report out.

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of support
 Sent: Wednesday, September 08, 2004 4:06 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Declude.JunkMail] Test needed along with sniffer

 Harry, 

 We have a utility to let you know how well a specific test 
 does in our log 
 parser (DLAnalyzer).  The test is called the Test Breakdown Summary 
 Report.  Essentially you can pick a certain test(s) and see 
 which other 
 tests fail along with them.  This report has helped us 
 eliminate tests that 
 performed the same as other tests. 

 For example you can configure the report to summarize 
 messages that failed 
 Sniffer.  It will than show you what other tests failed on 
 messages that 
 also failed Sniffer.  You can get more granular by even 
 excluding tests.  
 For example: Show me which tests were triggered in 
 conjunction with Sniffer, 
 but did not fail XBL. 

 Below is the link for a sample output from this report. 
 http://www.invariantsystems.com/dlanalyzer/testsamples/TestSum
 maryBreakdownR 
 eport.html 

 In the above report you can see that out of all messages that 
 failed the 
 weight30 test 85% of them also failed SPAMCOP and 63% failed XBL.. 

 Darrell 

 --
 --
 Check out http://www.invariantsystems.com for utilities for 
 Declude And 
 Imail.  IMail/Declude Overflow Queue Monitoring, MRTG 
 Integration, and Log 
 Parsers. 

 Harry Vanderzand writes: 

  I am testing sniffer right now and wonder if I need to run all the 
  other tests along side it.

  I am trying to reduce my daily workload of analyzing the spamtrap 
  and hope that sniffer and surbl will do this.

  Do I even need surbl?

  Any advice in this matter would be greatly appreciated.

  Thanks in advance

  Harry Vanderzand
  inTown Internet  Computer Services  

  ---
  [This E-mail was scanned for viruses by Declude Virus 
  (http://www.declude.com)]

  ---
  This E-mail came from the Declude.JunkMail mailing list.  To 
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
  unsubscribe Declude.JunkMail.  The archives can be found at 
  http://www.mail-archive.com.

 ---
 [This E-mail was scanned for viruses by Declude Virus 
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To 
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
 type unsubscribe Declude.JunkMail.  The archives can be 
 found at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Test needed along with sniffer

2004-09-08 Thread Scott Fisher

I don't know if your filters have a SKIPIFWEIGHT line. You can add a SKIPIFWEIGHT that 
will bypass the filters that enter that filter with a high spam weight. This should 
get you to bypass lots of e-mail. This probably causes me to skip 75-80% of the most 
obvious spam.

I also have a TESTSFAILED END line for items that are psuedo-whitelisted from 
friendlier sites. This probably forces the body filters to be skipped on about 7-8% of 
the mostly non-spam messages.

This leaves the battleground of about 10 to 15% of the messages that need to have body 
filters applied.

I also put my body filters last in the global.cfg. So the quicker 
HELO/MAILFROM/SUBJECT/COUNTRY filters are run first.

Scott Fisher
Director of IT
Farm Progress Companies

 [EMAIL PROTECTED] 09/08/04 04:16PM 
thank you Matt,
 
I am running 179i16 so I may have another issue at hand here
 
I have 42k myfilter file with every entry set to anywhere which essentially
does a similar thing that surbl is doing.  I mine the web info from them
manually everyday.
 
I do it on my own account as my account attracts a tremendous amount of spam
I guess because it has been around for 10 years.  Whatever gets through to
it after declude has been going into my filter file
 
I have surbl running with its 35k file
 
I have today eliminated my filter file and will likely eliminate surbl once
I get the full version of sniffer going.  So far I see no more going through
as it is likely that surbl has been better at that process than me.  
 
I am starting to realize that these body filters are expensive in cpu cycles
 
I will share what I learn from all this
 
I appreciate your assistance.  

Harry Vanderzand 
inTown Internet  Computer Services 
11 Belmont Ave. W.
Kitchener, ON
N2M 1L2
519-741-1222
Did you know we offer: 
- Province wide dial-up and high speed internet access 
- Web accessible email with anti-spam\antivirus protection
- Computer hardware sales and service
- Experienced website developers 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Wednesday, September 08, 2004 3:56 PM
To: [EMAIL PROTECTED] 
Subject: Re: [Declude.JunkMail] Test needed along with sniffer


Harry,

Sniffer is a great addition to any Declude setup, however your issues are
not due to just simply the size of your processors.  We run a dual 1 GHz
PIII system with RAID 5 and 5x10K Cheetahs, and we've managed to exceed
90,000 messages a day with dual virus scanners, and we could handle a bit
more still.  My thought is that you are either running a ton of BODY
filters, a very slow virus scanner/scanners, or you are experiencing some
form of I/O limitation.  The idle processes also suggest that maybe there is
an issue and an upgrade to a more recent version of Declude such as 1.79 or
an interim release thereafter would be a good idea and most around here run
them.

You should be able to minimally do 10 times your current volume, so keep
looking and keep describing your environment and a solution will likely come
along.

Matt



Harry Vanderzand wrote:


I am getting service timeouts due mostly to all the declude instances of

traffic volume



I handle about 2 messages a day, most of them during business hours



I find that I accumulate declude processes that have consumed up to a minute

of cpu time only to be idle and just sit there



This also causes accumulated memory to be consumed



I have been rebooting this server about twice a week



I have also been spending time everyday adding to my filter files 



The server is a dual Xeon 2.4Ghz, 533 frontside bus with an Intel SATA raid

card running Raid 10



It has about 100 small web site that do not get much traffic



My goal is to reduce management time of the machine and to stabilize it so

the need to reboot it is lessened



I am prepared to put in a dual Xeon 3.4GH, etc but also want to make sure

that I do not overkill



Harry Vanderzand 

inTown Internet  Computer Services 

11 Belmont Ave. W.

Kitchener, ON

N2M 1L2

519-741-1222

Did you know we offer: 

- Province wide dial-up and high speed internet access 

- Web accessible email with anti-spam\antivirus protection

- Computer hardware sales and service

- Experienced website developers 







  

-Original Message-

From: [EMAIL PROTECTED] 

[mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler

Sent: Wednesday, September 08, 2004 11:22 AM

To: [EMAIL PROTECTED] 

Subject: RE: [Declude.JunkMail] Test needed along with sniffer









I am testing sniffer right now and wonder if I need to run

all the other tests along side it.



I am trying to reduce my daily workload of analyzing the

spamtrap and hope that sniffer and surbl will do this.



Do I even need surbl?

  

Do you have so much workload on your mailserver that you need 

to downsize your spam-filter to one or two tests?



Maybe http://www2.spamchk.com/public.htm will give you some answer.



Markus





---

[This E-mail

Re: [Declude.JunkMail] Test needed along with sniffer

2004-09-08 Thread Matt





Harry,

I use SURBL myself in addition to 85 other filter files, for a total of
265 KB of filters. Probably only 20% of them are BODY filter lines
though, and I don't think I have any ANYWHERE filters in use. I
consider our installation to be heavy, but I have spent a lot of time
making it efficient.

I think what you should do is tier your spam blocking by weight. We
operate a Hold and a Drop range, and when something hits the Drop
weight we stop processing filters on it. Over 80% of the spam never
runs our custom filters and that has saved us an enormous amount of CPU
cycles. You would do this with the SKIPIFWEIGHT setting in the top of
every custom filter file. We Hold starting at a score of 10 (mostly 13
though) and Drop at a score of 25. We manage to get 98% of the spam to
land in our Drop range which we don't review at all. Our false
positive rate in the Drop range is far less than 1 in 10,000, and
typically results from widely blacklisted sources that no one complains
about. I am only aware of about 3 FP's to land in this range over the
last year. More importantly, it allows us to focus on the  2% that
lands in our Hold range where we typically find about 2 to 3 FP's per
100 messages that land in there, though most of that is what we
consider to be legitimate advertising or newsletters from mixed sources.

I highly recommend that you focus on adding SKIPIFWEIGHT to your
filters and tiering your scoring and actions appropriately. It is
generally safe to toss what scores 3 times your hold weight, though
some filter architectures can enhance false positives and it is
important to limit incidences where the same FP issue can trip multiple
filters.

Matt


Harry Vanderzand wrote:

  Message
  
  
  thank you Matt,
  
  I am running 179i16 so I may have another issue at
hand here
  
  I have 42k myfilter file with every entry set to
anywhere which essentially does a similar thing that surbl is doing. I
mine the web info from them manually everyday.
  
  I do it on my own account as my account attracts
a tremendous amount of spam I guess because it has been around for 10
years. Whatever gets through to it after declude has been going into
my filter file
  
  I have surbl running with its 35k file
  
  I have today eliminated my filter file and will
likely eliminate surbl once I get the full version of sniffer going.
So far I see no more going through as it is likely that surbl has been
better at that process than me. 
  
  I am starting to realize that these body filters
are expensive in cpu cycles
  
  I will share what I learn from all this
  
  I appreciate your assistance. 
  Harry Vanderzand 
  inTown Internet  Computer Services
  
  11 Belmont Ave. W.
  Kitchener, ON
N2M 1L2
519-741-1222
  Did you know we offer: 
- Province wide dial-up and high speed internet access 
- Web accessible email with anti-spam\antivirus protection
- Computer hardware sales and service
- Experienced website developers 
  
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Wednesday, September 08, 2004 3:56 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Test needed along with
sniffer


Harry,

Sniffer is a great addition to any Declude setup, however your issues
are not due to just simply the size of your processors. We run a dual
1 GHz PIII system with RAID 5 and 5x10K Cheetahs, and we've managed to
exceed 90,000 messages a day with dual virus scanners, and we could
handle a bit more still. My thought is that you are either running a
ton of BODY filters, a very slow virus scanner/scanners, or you are
experiencing some form of I/O limitation. The idle processes also
suggest that maybe there is an issue and an upgrade to a more recent
version of Declude such as 1.79 or an interim release thereafter would
be a good idea and most around here run them.

You should be able to minimally do 10 times your current volume, so
keep looking and keep describing your environment and a solution will
likely come along.

Matt



Harry Vanderzand wrote:

  I am getting service timeouts due mostly to all the declude instances of
traffic volume

I handle about 2 messages a day, most of them during business hours

I find that I accumulate declude processes that have consumed up to a minute
of cpu time only to be idle and just sit there

This also causes accumulated memory to be consumed

I have been rebooting this server about twice a week

I have also been spending time everyday adding to my filter files 

The server is a dual Xeon 2.4Ghz, 533 frontside bus with an Intel SATA raid
card running Raid 10

It has about 100 small web site that do not get much traffic

My goal is to reduce management time of the machine and to stabilize it so
the need to reboot it is lessened

I am prepared to put in a dual Xeon 3.4GH, etc but also want to make sure
that I do not overkill

Harry Vanderzand 
inTown Internet  Computer

[Declude.JunkMail] 100% CPU

2004-09-08 Thread Richard Farris

Over the last 24 hrs it seems my server has been working overtime processing
messages...I was at constant 100%...I tried downloading the latest interim
1.79i16 and that didn't help...I turned off and reloaded Sortomonster files
and that didnt helpI took out all my IMAIL rules (rules.ima) which had a
lot of Body rules (about 40)  and that helped tremendouslyso I guess I
will leave them out..however it does seem to still be pegging 100% quite a
bit..

I guess my question is why all of a sudden without changing anything did my
NT server peg out...I had not updated my rules.ima in a while...and how can
I see what is taking so much resources...The task manager moves so fast I
cant see what is what...I do see a lot of Declude running but I think that
is normal?

Any hints to where I could look to get back more resources would be
appreciated..

Richard Farris
Ethixs Online
1.270.247. Office
1.800.548.3877 Tech Support
Crossroads to a Cleaner Internet

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] 100% CPU

2004-09-08 Thread Darin Cox

What processes are using the most CPU?
What's are the message counts in your IMail spool?
Are you perhaps experiencing dictionary attacks?

Darin.

- Original Message - 
From: Richard Farris [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, September 08, 2004 8:44 PM
Subject: [Declude.JunkMail] 100% CPU

Over the last 24 hrs it seems my server has been working overtime processing
messages...I was at constant 100%...I tried downloading the latest interim
1.79i16 and that didn't help...I turned off and reloaded Sortomonster files
and that didnt helpI took out all my IMAIL rules (rules.ima) which had a
lot of Body rules (about 40)  and that helped tremendouslyso I guess I
will leave them out..however it does seem to still be pegging 100% quite a
bit..

I guess my question is why all of a sudden without changing anything did my
NT server peg out...I had not updated my rules.ima in a while...and how can
I see what is taking so much resources...The task manager moves so fast I
cant see what is what...I do see a lot of Declude running but I think that
is normal?

Any hints to where I could look to get back more resources would be
appreciated..

Richard Farris
Ethixs Online
1.270.247. Office
1.800.548.3877 Tech Support
Crossroads to a Cleaner Internet

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] 100% CPU

2004-09-08 Thread Richard Farris

I see from previous messages it is a good idea to use SKIPIFWEIGHT
Where do I put this and what is a good number to put in there..
I hold at 9 and delete at 18...

How can you tell if you are under a dictionary attack...thru the routers?

Richard Farris
Ethixs Online
1.270.247. Office
1.800.548.3877 Tech Support
Crossroads to a Cleaner Internet

- Original Message - 
From: Darin Cox [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, September 08, 2004 8:03 PM
Subject: Re: [Declude.JunkMail] 100% CPU


 What processes are using the most CPU?
 What's are the message counts in your IMail spool?
 Are you perhaps experiencing dictionary attacks?

 Darin.


 - Original Message - 
 From: Richard Farris [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Wednesday, September 08, 2004 8:44 PM
 Subject: [Declude.JunkMail] 100% CPU


 Over the last 24 hrs it seems my server has been working overtime
processing
 messages...I was at constant 100%...I tried downloading the latest interim
 1.79i16 and that didn't help...I turned off and reloaded Sortomonster
files
 and that didnt helpI took out all my IMAIL rules (rules.ima) which had
a
 lot of Body rules (about 40)  and that helped tremendouslyso I guess I
 will leave them out..however it does seem to still be pegging 100% quite a
 bit..

 I guess my question is why all of a sudden without changing anything did
my
 NT server peg out...I had not updated my rules.ima in a while...and how
can
 I see what is taking so much resources...The task manager moves so fast I
 cant see what is what...I do see a lot of Declude running but I think that
 is normal?

 Any hints to where I could look to get back more resources would be
 appreciated..

 Richard Farris
 Ethixs Online
 1.270.247. Office
 1.800.548.3877 Tech Support
 Crossroads to a Cleaner Internet

 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] Skip if weight

2004-09-08 Thread Matt Goodhue









Hi All,



I just learned about this skipifweight command that I can
add to my filters I have built. This is very cool for the message searches.
Makes sense not to run tests if it is already known spam. 



My question is can this be applied to other tests? For
example spamchk.exe? Or if I could group some of my IP4R tests together, and
the message has already hit a certain weight before those IP4R lookups, could I
have declude skip those tests to save CPU time? If so, what would the syntax be?



Thanks.
Matt Goodhue

Re: [Declude.JunkMail] 100% CPU

2004-09-08 Thread Darin Cox

For dictionary attacks you'll see a lot of 1k T* and D* matching files in
your spool directory.  If you view the T* files they'll have a lot of made
up email addresses in one of your domains.  The D* files will most likely
have nothing more than the first line or two of the header.

Bottom line...look at the files in your spool and it will be obvious.

Darin.


- Original Message - 
From: Richard Farris [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, September 08, 2004 9:22 PM
Subject: Re: [Declude.JunkMail] 100% CPU


I see from previous messages it is a good idea to use SKIPIFWEIGHT
Where do I put this and what is a good number to put in there..
I hold at 9 and delete at 18...

How can you tell if you are under a dictionary attack...thru the routers?

Richard Farris
Ethixs Online
1.270.247. Office
1.800.548.3877 Tech Support
Crossroads to a Cleaner Internet

- Original Message - 
From: Darin Cox [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, September 08, 2004 8:03 PM
Subject: Re: [Declude.JunkMail] 100% CPU


 What processes are using the most CPU?
 What's are the message counts in your IMail spool?
 Are you perhaps experiencing dictionary attacks?

 Darin.


 - Original Message - 
 From: Richard Farris [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Wednesday, September 08, 2004 8:44 PM
 Subject: [Declude.JunkMail] 100% CPU


 Over the last 24 hrs it seems my server has been working overtime
processing
 messages...I was at constant 100%...I tried downloading the latest interim
 1.79i16 and that didn't help...I turned off and reloaded Sortomonster
files
 and that didnt helpI took out all my IMAIL rules (rules.ima) which had
a
 lot of Body rules (about 40)  and that helped tremendouslyso I guess I
 will leave them out..however it does seem to still be pegging 100% quite a
 bit..

 I guess my question is why all of a sudden without changing anything did
my
 NT server peg out...I had not updated my rules.ima in a while...and how
can
 I see what is taking so much resources...The task manager moves so fast I
 cant see what is what...I do see a lot of Declude running but I think that
 is normal?

 Any hints to where I could look to get back more resources would be
 appreciated..

 Richard Farris
 Ethixs Online
 1.270.247. Office
 1.800.548.3877 Tech Support
 Crossroads to a Cleaner Internet

 ---
 [This E-mail was scanned for viruses by Declude Virus
 (http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.

 ---
 [This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

 ---
 This E-mail came from the Declude.JunkMail mailing list.  To
 unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
 type unsubscribe Declude.JunkMail.  The archives can be found
 at http://www.mail-archive.com.



---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] 100% CPU

2004-09-08 Thread Matt





If you delete on an 18 then that is where you should set your
SKIPIFWEIGHT. This should be the first non-commented entry in your
filter file. These can only be used currently in "filter" type filters
and nothing else.

As far as dictionary attacks go, they are very, very common but they
come in two varieties. One uses common names and uses only about 200
addresses while the other type uses tens of thousands and you can tell
this type by the types of addresses being used, such as
[EMAIL PROTECTED], which isn't common. Both typically send to
about 5 addresses per message and you can figure this out in your log
files with the JunkMail log being the easiest to identify the patterns
since all the addresses are on one line. If you are only scanning what
you host, turning off the nobody aliases will become the best way to
stop it from overwhelming your server because IMail will reject the
addresses at the SMTP handshake instead of sending them on to Declude
for costly processing with virus scanners and filters.

Matt



Richard Farris wrote:

  I see from previous messages it is a good idea to use SKIPIFWEIGHT
Where do I put this and what is a good number to put in there..
I hold at 9 and delete at 18...

How can you tell if you are under a dictionary attack...thru the routers?

Richard Farris
Ethixs Online
1.270.247. Office
1.800.548.3877 Tech Support
"Crossroads to a Cleaner Internet"

- Original Message - 
From: "Darin Cox" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, September 08, 2004 8:03 PM
Subject: Re: [Declude.JunkMail] 100% CPU


  
  
What processes are using the most CPU?
What's are the message counts in your IMail spool?
Are you perhaps experiencing dictionary attacks?

Darin.


- Original Message - 
From: "Richard Farris" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, September 08, 2004 8:44 PM
Subject: [Declude.JunkMail] 100% CPU


Over the last 24 hrs it seems my server has been working overtime

  
  processing
  
  
messages...I was at constant 100%...I tried downloading the latest interim
1.79i16 and that didn't help...I turned off and reloaded Sortomonster

  
  files
  
  
and that didnt helpI took out all my IMAIL rules (rules.ima) which had

  
  a
  
  
lot of Body rules (about 40)  and that helped tremendouslyso I guess I
will leave them out..however it does seem to still be pegging 100% quite a
bit..

I guess my question is why all of a sudden without changing anything did

  
  my
  
  
NT server peg out...I had not updated my rules.ima in a while...and how

  
  can
  
  
I see what is taking so much resources...The task manager moves so fast I
cant see what is what...I do see a lot of Declude running but I think that
is normal?

Any hints to where I could look to get back more resources would be
appreciated..

Richard Farris
Ethixs Online
1.270.247. Office
1.800.548.3877 Tech Support
"Crossroads to a Cleaner Internet"

---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
[This E-mail was scanned for viruses by Declude Virus

  
  (http://www.declude.com)]
  
  
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



  
  
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

RE: [Declude.JunkMail] Skip if weight

2004-09-08 Thread John Tolmachoff \(Lists\)









IP4R tests are run before filter tests.



Resource wise, IP4R tests cost less than
filters.





John Tolmachoff

Engineer/Consultant/Owner

eServices For You







-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Goodhue
Sent: Wednesday,
 September 08, 2004 6:25 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Skip
if weight



Hi All,



I just learned about this skipifweight command that I can
add to my filters I have built. This is very cool for the message
searches. Makes sense not to run tests if it is already known spam.




My question is can this be applied to other tests? For
example spamchk.exe? Or if I could group some of my IP4R tests together,
and the message has already hit a certain weight before those IP4R lookups,
could I have declude skip those tests to save CPU time? If so, what would the
syntax be?



Thanks.
Matt Goodhue

RE: [Declude.JunkMail] SURBL issue

RE: [Declude.JunkMail] SURBL issue

Re: [Declude.JunkMail] SURBL issue

RE: [Declude.JunkMail] SURBL issue

[Declude.JunkMail] Test needed along with sniffer

RE: [Declude.JunkMail] Test needed along with sniffer

RE: [Declude.JunkMail] Test needed along with sniffer

Re: [Declude.JunkMail] Test needed along with sniffer

Re: [Declude.JunkMail] Test needed along with sniffer

Re: [Declude.JunkMail] Test needed along with sniffer

Re: [Declude.JunkMail] Test needed along with sniffer

RE: [Declude.JunkMail] Test needed along with sniffer

RE: [Declude.JunkMail] Test needed along with sniffer

RE: [Declude.JunkMail] Test needed along with sniffer

RE: [Declude.JunkMail] Test needed along with sniffer

Re: [Declude.JunkMail] Test needed along with sniffer

[Declude.JunkMail] 100% CPU

Re: [Declude.JunkMail] 100% CPU

Re: [Declude.JunkMail] 100% CPU

[Declude.JunkMail] Skip if weight

Re: [Declude.JunkMail] 100% CPU

Re: [Declude.JunkMail] 100% CPU

RE: [Declude.JunkMail] Skip if weight

23 matches

Site Navigation

Mail list logo

Footer information