Re[2]: [Declude.JunkMail] Cutting down on DNS
> Humans notice, because the traffic runs through a perimeter firewall > that checks port 53 traffic against its Intrusion Protection > profiles (amongst other things). Lately, during periods of heavy > activity it's been ramping up the CPU and memory of the perimeter > firewall. I've noticed moments of sluggishness as a result. If you have 250,000 messages, each one does 10 lookups -- 2.5 million remote lookups on its own is not overwhelming (of course, depending on your raw upstream/downstream bandwidth, but I presume you have that limit covered.) But 250,000 daily queries to an individual BL will likely exceed their limits if they have one: overages may be timed out or throttled down, adversely (and purposely) affecting the number of attempted and simultaneous outbound connections. What is the firewall model? What's the rated max UDP connections? The rated max for wire-speed IPS inspection? Do these effects, in other words, simply jibe with your use of a lowish-end firewall to do egress filtering on some rather chatty servers? If the results are not what you would expect from your hardware, do you have some setting that is leaving connections open for too long? An too-deep inspection profile being applied to these servers? If push comes to shove, what about giving these machines their own dedicated IPS and not filtering on the main unit? > My two declude servers probably handle about 250k messgaes per day, but > around 90% of that is eliminated as waste. This waste still consumes > bandwidth and DNS connections. Well, of course... if it didn't take DNS connections, you wouldn't know it's waste (with the exception of those BL lookups which are redundant with other tests or which rarely find listings -- and those are lookups you should eliminate). > Yes, I run local DNS on the Declude Machines, but I've notcied that > the caching isn't all that effective. To the perimeter firewall, a > lookup is a lookup, not matter what resource asked for it. When a result is in the local DNS cache, there is no remote lookup, so nothing goes through the firewall. Can you check the size of the cache throughout the day and verify that you haven't turned something off so that lookups are being passed through and not cached? It is of course possible that you have few IPs that reconnect before their TTLs expire, but that should be verified. And my other recommendation stands -- look into which BLs will let you replicate their zone/s locally. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Cutting down on DNS
Humans notice, because the traffic runs through a perimeter firewall that checks port 53 traffic against its Intrusion Protection profiles (amongst other things). Lately, during periods of heavy activity it's been ramping up the CPU and memory of the perimeter firewall. I've noticed moments of sluggishness as a result. My two declude servers probably handle about 250k messgaes per day, but around 90% of that is eliminated as waste. This waste still consumes bandwidth and DNS connections. During those periods of heavy activity, there are about 30k connections through the firewall, and it seems that half of them, I'm guessing, are wasted DNS lookups. I'm guessing this because filtering the connections reveals heavy port 53 activity on the Declude servers. Yes, I run local DNS on the Declude Machines, but I've notcied that the caching isn't all that effective. To the perimeter firewall, a lookup is a lookup, not matter what resource asked for it. ...unless I just don't understand, in which case I welcome being tapped into place. -- Michael -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Sanford Whiteman Sent: Monday, July 06, 2009 8:49 PM To: Michael Cummins Subject: Re: [Declude.JunkMail] Cutting down on DNS > My declude boxes are really driving DNS traffic up, loads. As in "humans notice" or as in "my SNMP monitors notice"... is this actually negatively impacting performance of DNS or any other service? Do you run local caching DNS (I hope so)? The other thing to look into is zone transfers for eligible BLs. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Cutting down on DNS
> My declude boxes are really driving DNS traffic up, loads. As in "humans notice" or as in "my SNMP monitors notice"... is this actually negatively impacting performance of DNS or any other service? Do you run local caching DNS (I hope so)? The other thing to look into is zone transfers for eligible BLs. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: sa...@cypressintegrated.com SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Whitelisting Bug?
Hi Mark, Are you certain the user does not have their own address in their webmail address book? This looks like a typical problem where users have their own email address in the address book. Removing their email address and explaining to them why they should avoid putting in their own address (i.e. forging spam often forges the address being sent to as the FROM address as well) usually fixes it. Darin. - Original Message - From: "Mark Strother" To: Cc: "Mark Strother" Sent: Monday, July 06, 2009 7:13 PM Subject: [Declude.JunkMail] Whitelisting Bug? In the past week I've seen a lot of mail whitelisted that shouldn't be. We have autowhitelist and whitelist - auth enabled. I understand that should white list mail that is sent using SMTP auth or if the sender is in the users SmarterMail address book. In every case I've seen SMTP auth was not used and the sender is not listed in the recipient's address book. Can anyone help out? Below is a sample header. We've had several complaints, all from different domains, and in each case the headers look similar. The from and to address are the same and in every case the emails have a X-Rcpt-To field pointing to another user within the domain. -- Return-Path: Received: from 189104007058.user.veloxzone.com.br [189.104.7.58] by mx2.pacificonline.com with SMTP; Sun, 28 Jun 2009 12:06:38 -0700 Message-ID: From: "Medicines" Reply-To: "Medicines" To: k...@domainremoved.com Subject: Useful potions, approved pilules Date: Mon, 29 Jun 2009 02:05:33 +0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-=549_9341_6L951C50.68SC114N" X-Priority: 3 X-MSMail-Priority: Normal X-RBL-Warning: IPNOTINMX: X-RBL-Warning: CBL: "Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=189.104.7.58"; X-RBL-Warning: SPAMCOP: "Blocked - see http://www.spamcop.net/bl.shtml?189.104.7.58"; X-RBL-Warning: UCEPROTECT-1: "IP 189.104.7.58 is UCEPROTECT-Level 1 listed. See http://www.uceprotect.net/rblcheck.php?ipr=189.104.7.58"; X-RBL-Warning: UCEPROTECT-2: "Net 189.104.0.0/19 is UCEPROTECT-Level2 listed because 552 abusers are hosted by Telecomunicacoes da Bahia S.A./AS7738 there. See: http://www.uceprotect.net/rblcheck.php?ipr=189.104.7.58"; X-RBL-Warning: UCEPROTECT-3: "Your ISP Telecomunicacoes da Bahia S.A./AS7738 is UCEPROTECT-Level3 listed for hosting a total of 100857 abusers. See: http://www.uceprotect.net/rblcheck.php?ipr=189.104.7.58"; X-RBL-Warning: BCC: 13 Bcc:'s detected. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-Declude-Sender: k...@domainremoved.com [189.104.7.58] X-Declude-RefID: str=0001.0A010204.4A47BD36.0135,ss=4,sh,fgs=0 X-Declude-Note: Incoming Msg Scanned by Declude 4.6.35 X-Declude-Score: [0] X-Declude-Fail: Whitelisted X-Country-Chain: BRAZIL->destination X-Rcpt-To: X-SmarterMail-Spam: DK_None, Declude: 0 X-SmarterMail-TotalSpamWeight: 0 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Whitelisting Bug?
In the past week I've seen a lot of mail whitelisted that shouldn't be. We have autowhitelist and whitelist - auth enabled. I understand that should white list mail that is sent using SMTP auth or if the sender is in the users SmarterMail address book. In every case I've seen SMTP auth was not used and the sender is not listed in the recipient's address book. Can anyone help out? Below is a sample header. We've had several complaints, all from different domains, and in each case the headers look similar. The from and to address are the same and in every case the emails have a X-Rcpt-To field pointing to another user within the domain. -- Return-Path: Received: from 189104007058.user.veloxzone.com.br [189.104.7.58] by mx2.pacificonline.com with SMTP; Sun, 28 Jun 2009 12:06:38 -0700 Message-ID: From: "Medicines" Reply-To: "Medicines" To: k...@domainremoved.com Subject: Useful potions, approved pilules Date: Mon, 29 Jun 2009 02:05:33 +0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-=549_9341_6L951C50.68SC114N" X-Priority: 3 X-MSMail-Priority: Normal X-RBL-Warning: IPNOTINMX: X-RBL-Warning: CBL: "Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=189.104.7.58"; X-RBL-Warning: SPAMCOP: "Blocked - see http://www.spamcop.net/bl.shtml?189.104.7.58"; X-RBL-Warning: UCEPROTECT-1: "IP 189.104.7.58 is UCEPROTECT-Level 1 listed. See http://www.uceprotect.net/rblcheck.php?ipr=189.104.7.58"; X-RBL-Warning: UCEPROTECT-2: "Net 189.104.0.0/19 is UCEPROTECT-Level2 listed because 552 abusers are hosted by Telecomunicacoes da Bahia S.A./AS7738 there. See: http://www.uceprotect.net/rblcheck.php?ipr=189.104.7.58"; X-RBL-Warning: UCEPROTECT-3: "Your ISP Telecomunicacoes da Bahia S.A./AS7738 is UCEPROTECT-Level3 listed for hosting a total of 100857 abusers. See: http://www.uceprotect.net/rblcheck.php?ipr=189.104.7.58"; X-RBL-Warning: BCC: 13 Bcc:'s detected. X-RBL-Warning: CMDSPACE: Space found in RCPT TO: command. X-Declude-Sender: k...@domainremoved.com [189.104.7.58] X-Declude-RefID: str=0001.0A010204.4A47BD36.0135,ss=4,sh,fgs=0 X-Declude-Note: Incoming Msg Scanned by Declude 4.6.35 X-Declude-Score: [0] X-Declude-Fail: Whitelisted X-Country-Chain: BRAZIL->destination X-Rcpt-To: X-SmarterMail-Spam: DK_None, Declude: 0 X-SmarterMail-TotalSpamWeight: 0 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Barracuda Reputation Block List
Anyone using this? If so how effective is it and also what are your settings? H. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] automated response
I will be out of the office this afternoon, Monday July 6, 2009. I will have access to emails and will respond as quickly as I can. Thank you! Troy Hilton Serveon, Inc. 302-529-8640 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Cutting down on DNS
My declude boxes are really driving DNS traffic up, loads. Is there any general advice on improving the efficiency of the various declude checks to reduce the number of DNS hits? Thanks! -- Michael Cummins --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.