Re: [Declude.JunkMail] Error 183 in Declude Virus and double processing in Declude JunkMail during heavy load
Markus et. al, This is my first full day on SP1, but I have seen double processing before in D files stranded in the spool going back maybe a year or more and on Win2K as well. I was only able to nail this down to a load issue because the 1:30 a.m. mailing is a daily occurrence and I see errors in my logs every time since adding this customer. I have one external application that is erroring on heavy load, but that would also happen before SP1. I did however note that my CPU utilization peaked at 39% today on hourly averages with SP1 whereas on Friday pre-SP1, they peaked at 30% (and Mondays are generally slow). I'm not sure what has caused this, but it could be something as simple as a dictionary attack. Aside from the increased CPU utilization which may or may not be related to SP1 and this one application throwing errors under heavy load, I have yet to see any of these other errors with queue manager or Declude. FYI, immediately after upping to SP1 I found that my address validation software was incompatible and needed to be patched to work with SP1 so my server ran at 100% for about 1 hour and the only bad effect in the core processes was a few of these errors with Virus and I suspect double processing as they always seem to happen together. Matt Gufler Markus wrote: FYI: I've running v1.82 on a Win2003 server and since SP1 is installed I've had problems multiple times with the queue manager and also popup messages for declude.exe. One problem could be the new SP1 application execution protection. This problem appears only some days but can also happen multiple times a day. I've removed SP1 and will watch now if it will solve the problem. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Monday, April 18, 2005 11:12 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Error 183 in Declude Virus and double processing in Declude JunkMail during heavy load I submitted a support ticket this morning about problems I seen under 2.0.6 with high load. This weekend while doing some maintenance I ran into some load issues when I brought one of the servers down I maintain. When I bring one of the servers offline I know the other server will start dropping messages into the overflow directory and it did this. However, after a short period of time I started to see application pop up messages "Declude.exe - Application error: The application failed to initialize properly (0xc142)". I ended up having to reboot the box. I thought this was a fluke, but when I did the maintenance on the other server I seen the same problem again on the other mail server. The odd thing about both situations is that I seen hundreds of declude.exe processes when the max under 2.0.6 by default is 25. Again this could be something unique to my servers. Darrell -- -- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Andy Schmidt writes: Hi Matt: While I was beta testing 2.0.6, I was also suffering from some distributed dictionary attacks - and I was scrutinizing the log files much more closely (to look for possible beta errors). I don't know WHICH of these three factors were critical (2.x vs. load vs. level of attention) - but I had detected what sounds like your situation. I noticed Spam and Virus log entries that refererred to file i/o errors and upon closer examination of individual cases, I noticed that apparently the same Q/D files were processed more than once. The developers added log information that tracked the process-id to determine if the problem was a loop in one process or the launching of multiple processed (they were indeed different.) About the same time, they also introduced the new Declude.cfg file that allowed me to manage/limit the number of concurrent Declude processes. After installing new builds AND limiting the number of Declude processes I no longer noticed these errors in the log files. So - I can state that this problem was worked on and even that some code changes were made. But I can't promise with certainty that the problem was fixed with the code changes, or due to the new Declude.cfg option - or if my
RE: [Declude.JunkMail] Error 183 in Declude Virus and double processing in Declude JunkMail during heavy load
FYI: I've running v1.82 on a Win2003 server and since SP1 is installed I've had problems multiple times with the queue manager and also popup messages for declude.exe. One problem could be the new SP1 application execution protection. This problem appears only some days but can also happen multiple times a day. I've removed SP1 and will watch now if it will solve the problem. Markus > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Darrell ([EMAIL PROTECTED]) > Sent: Monday, April 18, 2005 11:12 PM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] Error 183 in Declude Virus > and double processing in Declude JunkMail during heavy load > > I submitted a support ticket this morning about problems I > seen under 2.0.6 with high load. This weekend while doing > some maintenance I ran into some load issues when I brought > one of the servers down I maintain. When I bring one of the > servers offline I know the other server will start dropping > messages into the overflow directory and it did this. > However, after a short period of time I started to see > application pop up messages "Declude.exe - Application error: > The application failed to initialize properly (0xc142)". > I ended up having to reboot the box. I thought this was a > fluke, but when I did the maintenance on the other server I > seen the same problem again on the other mail server. > > The odd thing about both situations is that I seen hundreds > of declude.exe processes when the max under 2.0.6 by default is 25. > > Again this could be something unique to my servers. > > Darrell > > -- > -- > Check out http://www.invariantsystems.com for utilities for > Declude And Imail. IMail/Declude Overflow Queue Monitoring, > SURBL/URI integration, MRTG Integration, and Log Parsers. > > > > Andy Schmidt writes: > > > Hi Matt: > > > > While I was beta testing 2.0.6, I was also suffering from > some distributed > > dictionary attacks - and I was scrutinizing the log files > much more closely > > (to look for possible beta errors). > > > > I don't know WHICH of these three factors were critical > (2.x vs. load vs. > > level of attention) - but I had detected what sounds like > your situation. I > > noticed Spam and Virus log entries that refererred to file > i/o errors and > > upon closer examination of individual cases, I noticed that > apparently the > > same Q/D files were processed more than once. The > developers added log > > information that tracked the process-id to determine if the > problem was a > > loop in one process or the launching of multiple processed > (they were indeed > > different.) > > > > About the same time, they also introduced the new > Declude.cfg file that > > allowed me to manage/limit the number of concurrent Declude > processes. > > > > After installing new builds AND limiting the number of > Declude processes I > > no longer noticed these errors in the log files. > > > > So - I can state that this problem was worked on and even > that some code > > changes were made. But I can't promise with certainty that > the problem was > > fixed with the code changes, or due to the new Declude.cfg > option - or if my > > workload mix simply was sufficiently different. > > > > Since then I have been able to block those distributed > dictionary attacks in > > my IIS gateways, so that this factor has been eliminated > altogether. > > > > > > Best Regards > > Andy Schmidt > > > > Phone: +1 201 934-3414 x20 (Business) > > Fax:+1 201 934-9206 > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Matt > > Sent: Monday, April 18, 2005 04:10 PM > > To: Declude.JunkMail@declude.com > > Cc: [EMAIL PROTECTED] > > Subject: [Declude.JunkMail] Error 183 in Declude Virus and > double processing > > in Declude JunkMail during heavy load > > > > > > This is primarily meant for Declude's support, but I am > sending it to the > > list in the event that the broader scrutiny might be beneficial. > > > > I'm currently running Declude 1.82 and Windows 2003 SP1. > It appears that > > under heavy load I am seeing errors from both Declude Virus > and Declude > > JunkMail, and it seems possible that while the errors are > triggered by the > &g
RE: [Declude.JunkMail] Error 183 in Declude Virus and double processing in Declude JunkMail during heavy load
Matt, I had this same exact issue, with exact same symptoms (Win 2000 SP4) and I called Declude on it a few weeks ago. Eventually, I just copied in a new Declude 1.82.exe file and reinstalled my scanners and the issue went away. I saw the same Error starting scanner and the Error 183. I went on the assumption that my scanners got corrupted and thus deinstalled them and reinstalled them. I thought it was just my server, but it seems it could be a broader issue. Keith Johnson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Monday, April 18, 2005 4:10 PMTo: Declude.JunkMail@declude.comCc: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Error 183 in Declude Virus and double processing in Declude JunkMail during heavy load This is primarily meant for Declude's support, but I am sending it to the list in the event that the broader scrutiny might be beneficial.I'm currently running Declude 1.82 and Windows 2003 SP1. It appears that under heavy load I am seeing errors from both Declude Virus and Declude JunkMail, and it seems possible that while the errors are triggered by the heavy load, the conditions created might be avoidable. It seems likely that either IMail or Declude is producing the problem.I have a client that has a Web server that pumps out about 350 E-mails every night in rapid succession from their Web server. This has been causing issues pretty much every night. Declude Virus throws about a half dozen or so errors during this blast saying "Error 183 creating temp directory [path]", and when this happens, it seems to always do this multiple times for the same file name. Declude JunkMail seems to also double, tipple, quadruple, etc., process the same files when this happens, which is noted in both the logs as well as the headers that it inserts in the E-mail. I sometimes find these multiple-processed files stranded in my spool without a Q file. I'm not sure what conditions associated with the load are causing this, but this can also happen at other times outside of this nightly blast when the CPU's are being pegged.I'm sharing the associated headers and log file entries in the hopes of helping to identify the source of the issue and also potentially resolving it. Here is a copy of each for one such message:HEADERS==Received: from mx1.mailpure.com [208.7.179.200] by mail.mailpure.com with ESMTP (SMTPD32-8.15) id A039545F00E0; Thu, 14 Apr 2005 01:31:37 -0400Received: from DH04 ([###.###.###.###]) by mx1.mailpure.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 14 Apr 2005 01:31:34 -0400Received: from mail pickup service by DH04 with Microsoft SMTPSVC; Thu, 14 Apr 2005 01:30:49 -0400From: <[EMAIL PROTECTED]>To: <[EMAIL PROTECTED]>Subject: Nightly Email update from [Company Name]Date: Thu, 14 Apr 2005 01:30:49 -0400Message-ID: <[EMAIL PROTECTED]>MIME-Version: 1.0Content-Type: multipart/alternative; boundary="=_NextPart_000_0001_01C54091.8C5A7060"X-Mailer: Microsoft CDO for Windows 2000Thread-Index: AcVAsxNWnH6Lzk2RRyizH9lhpqD3BQ==Content-Class: urn:content-classes:messageX-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441X-OriginalArrivalTime: 14 Apr 2005 05:30:49.0363 (UTC) FILETIME=[1DD32E30:01C540B3]Return-Path: [EMAIL PROTECTED]X-MailPure: X-MailPure: FORGEDFROM: Message failed FORGEDFROM test (weight 2).X-MailPure: X-MailPure: Spam Score: 2X-MailPure: Scan Time: 14 Apr 2005 at 01:34:15 -0400X-MailPure: Spool File: D0039545f00e0819a.SMDX-MailPure: Server Name: DH04X-MailPure: SMTP Sender: [EMAIL PROTECTED]X-MailPure: Received From: customer-webserver.example.com [###.###.###.###]X-MailPure: Country Chain: UNITED STATES->destinationX-MailPure: X-MailPure: Spam and virus blocking services provided by MailPure.comX-MailPure: X-MailPure: X-MailPure: FORGEDFROM: Message failed FORGEDFROM test (weight 2).X-MailPure: X-MailPure: Spam Score: 2X-MailPure: Scan Time: 14 Apr 2005 at 01:34:15 -0400X-MailPure: Spool File: D0039545f00e0819a.SMDX-MailPure: Server Name: DH04X-MailPure: SMTP Sender: [EMAIL PROTECTED]X-MailPure: Received From: customer-webserver.example.com [###.###.###.###]X-MailPure: Country Chain: UNITED STATES->destinationX-MailPure: X-MailPure: Spam and virus blocking services provided by MailPure.comX-MailPure: X-MailPure: X-MailPure
Re: [Declude.JunkMail] Error 183 in Declude Virus and double processing in Declude JunkMail during heavy load
I submitted a support ticket this morning about problems I seen under 2.0.6 with high load. This weekend while doing some maintenance I ran into some load issues when I brought one of the servers down I maintain. When I bring one of the servers offline I know the other server will start dropping messages into the overflow directory and it did this. However, after a short period of time I started to see application pop up messages âDeclude.exe â Application error: The application failed to initialize properly (0xc142)â. I ended up having to reboot the box. I thought this was a fluke, but when I did the maintenance on the other server I seen the same problem again on the other mail server. The odd thing about both situations is that I seen hundreds of declude.exe processes when the max under 2.0.6 by default is 25. Again this could be something unique to my servers. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Andy Schmidt writes: Hi Matt: While I was beta testing 2.0.6, I was also suffering from some distributed dictionary attacks - and I was scrutinizing the log files much more closely (to look for possible beta errors). I don't know WHICH of these three factors were critical (2.x vs. load vs. level of attention) - but I had detected what sounds like your situation. I noticed Spam and Virus log entries that refererred to file i/o errors and upon closer examination of individual cases, I noticed that apparently the same Q/D files were processed more than once. The developers added log information that tracked the process-id to determine if the problem was a loop in one process or the launching of multiple processed (they were indeed different.) About the same time, they also introduced the new Declude.cfg file that allowed me to manage/limit the number of concurrent Declude processes. After installing new builds AND limiting the number of Declude processes I no longer noticed these errors in the log files. So - I can state that this problem was worked on and even that some code changes were made. But I can't promise with certainty that the problem was fixed with the code changes, or due to the new Declude.cfg option - or if my workload mix simply was sufficiently different. Since then I have been able to block those distributed dictionary attacks in my IIS gateways, so that this factor has been eliminated altogether. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, April 18, 2005 04:10 PM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Error 183 in Declude Virus and double processing in Declude JunkMail during heavy load This is primarily meant for Declude's support, but I am sending it to the list in the event that the broader scrutiny might be beneficial. I'm currently running Declude 1.82 and Windows 2003 SP1. It appears that under heavy load I am seeing errors from both Declude Virus and Declude JunkMail, and it seems possible that while the errors are triggered by the heavy load, the conditions created might be avoidable. It seems likely that either IMail or Declude is producing the problem. I have a client that has a Web server that pumps out about 350 E-mails every night in rapid succession from their Web server. This has been causing issues pretty much every night. Declude Virus throws about a half dozen or so errors during this blast saying "Error 183 creating temp directory [path]", and when this happens, it seems to always do this multiple times for the same file name. Declude JunkMail seems to also double, tipple, quadruple, etc., process the same files when this happens, which is noted in both the logs as well as the headers that it inserts in the E-mail. I sometimes find these multiple-processed files stranded in my spool without a Q file. I'm not sure what conditions associated with the load are causing this, but this can also happen at other times outside of this nightly blast when the CPU's are being pegged. I'm sharing the associated headers and log file entries in the hopes of helping to identify the source of the issue and also potentially resolving it. Here is a copy of each for one such message: HEADERS == Received: from mx1.mailpure.com [208.7.179.200] by mail.mailpure.com with ESMTP (SMTPD32-8.15) id A039545F00E0; Thu, 14 Apr 2005 01:31:37 -0400 Received: from DH04 ([###.###.###.###]) by mx1.mailpure.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 14 Apr 2005 01:31:34 -0400 Received: from mail pickup service by DH04 with Microsoft SMTPSVC; Thu, 14 Apr 2005 01:30:49 -0400 From:
Re: [Declude.JunkMail] Error 183 in Declude Virus and double processing in Declude JunkMail during heavy load
Title: Message Andy, Thanks for the information. There is no doubt that you could limit the processes and never reach this overloaded condition and that would mask the issue, and gateway validation should also prevent overloaded conditions if you were formerly being bombarded. What I'm curious about however is whether or not Declude corrected the issue (if it was theirs), or if they just simply masked it by allowing for these limits. Personally, I'm a little concerned about controlling things with a limit that is only associated with a process count since there are certainly many times on my box that it needs to handle bursty traffic and I don't want to back things up if I can help it. I already know that depending on whether or not something is whitelisted, has an attachment, or how big the attachment or body of the message is, my box will respond very differently. I would hate to put a limit on things that might cap my server at 50% utilization in some cases, but might be too high to matter in others. Thanks, Matt Andy Schmidt wrote: Hi Matt: While I was beta testing 2.0.6, I was also suffering from some distributed dictionary attacks - and I was scrutinizing the log files much more closely (to look for possible beta errors). I don't know WHICH of these three factors were critical (2.x vs. load vs. level of attention) - but I had detected what sounds like your situation. I noticed Spam and Virus log entries that refererred to file i/o errors and upon closer examination of individual cases, I noticed that apparently the same Q/D files were processed more than once. The developers added log information that tracked the process-id to determine if the problem was a loop in one process or the launching of multiple processed (they were indeed different.) About the same time, they also introduced the new Declude.cfg file that allowed me to manage/limit the number of concurrent Declude processes. After installing new builds AND limiting the number of Declude processes I no longer noticed these errors in the log files. So - I can state that this problem was worked on and even that some code changes were made. But I can't promise with certainty that the problem was fixed with the code changes, or due to the new Declude.cfg option - or if my workload mix simply was sufficiently different. Since then I have been able to block those distributed dictionary attacks in my IIS gateways, so that this factor has been eliminated altogether. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, April 18, 2005 04:10 PM To: Declude.JunkMail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Error 183 in Declude Virus and double processing in Declude JunkMail during heavy load This is primarily meant for Declude's support, but I am sending it to the list in the event that the broader scrutiny might be beneficial. I'm currently running Declude 1.82 and Windows 2003 SP1. It appears that under heavy load I am seeing errors from both Declude Virus and Declude JunkMail, and it seems possible that while the errors are triggered by the heavy load, the conditions created might be avoidable. It seems likely that either IMail or Declude is producing the problem. I have a client that has a Web server that pumps out about 350 E-mails every night in rapid succession from their Web server. This has been causing issues pretty much every night. Declude Virus throws about a half dozen or so errors during this blast saying "Error 183 creating temp directory [path]", and when this happens, it seems to always do this multiple times for the same file name. Declude JunkMail seems to also double, tipple, quadruple, etc., process the same files when this happens, which is noted in both the logs as well as the headers that it inserts in the E-mail. I sometimes find these multiple-processed files stranded in my spool without a Q file. I'm not sure what conditions associated with the load are causing this, but this can also happen at other times outside of this nightly blast when the CPU's are being pegged. I'm sharing the associated headers and log file entries in the hopes of helping to identify the source of the issue and also potentially resolving it. Here is a copy of each for one such message: HEADERS == Received: from mx1.mailpure.com [208.7.179.200] by mail.mailpure.com with ESMTP (SMTPD32-8.15) id A039545F00E0; Thu, 14 Apr 2005 01:31:37 -0400 Received: from DH04 ([###.###.###.###]) by mx1.mailpure.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 14 Apr 2005 01:31:34 -0400 Received: from mail pickup service by DH04 with Microsoft SMTPSVC; Thu, 14 Apr 2005 01:30:49 -0400 F
RE: [Declude.JunkMail] Error 183 in Declude Virus and double processing in Declude JunkMail during heavy load
Title: Message Hi Matt: While I was beta testing 2.0.6, I was also suffering from some distributed dictionary attacks - and I was scrutinizing the log files much more closely (to look for possible beta errors). I don't know WHICH of these three factors were critical (2.x vs. load vs. level of attention) - but I had detected what sounds like your situation. I noticed Spam and Virus log entries that refererred to file i/o errors and upon closer examination of individual cases, I noticed that apparently the same Q/D files were processed more than once. The developers added log information that tracked the process-id to determine if the problem was a loop in one process or the launching of multiple processed (they were indeed different.) About the same time, they also introduced the new Declude.cfg file that allowed me to manage/limit the number of concurrent Declude processes. After installing new builds AND limiting the number of Declude processes I no longer noticed these errors in the log files. So - I can state that this problem was worked on and even that some code changes were made. But I can't promise with certainty that the problem was fixed with the code changes, or due to the new Declude.cfg option - or if my workload mix simply was sufficiently different. Since then I have been able to block those distributed dictionary attacks in my IIS gateways, so that this factor has been eliminated altogether. Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MattSent: Monday, April 18, 2005 04:10 PMTo: Declude.JunkMail@declude.comCc: [EMAIL PROTECTED]Subject: [Declude.JunkMail] Error 183 in Declude Virus and double processing in Declude JunkMail during heavy loadThis is primarily meant for Declude's support, but I am sending it to the list in the event that the broader scrutiny might be beneficial.I'm currently running Declude 1.82 and Windows 2003 SP1. It appears that under heavy load I am seeing errors from both Declude Virus and Declude JunkMail, and it seems possible that while the errors are triggered by the heavy load, the conditions created might be avoidable. It seems likely that either IMail or Declude is producing the problem.I have a client that has a Web server that pumps out about 350 E-mails every night in rapid succession from their Web server. This has been causing issues pretty much every night. Declude Virus throws about a half dozen or so errors during this blast saying "Error 183 creating temp directory [path]", and when this happens, it seems to always do this multiple times for the same file name. Declude JunkMail seems to also double, tipple, quadruple, etc., process the same files when this happens, which is noted in both the logs as well as the headers that it inserts in the E-mail. I sometimes find these multiple-processed files stranded in my spool without a Q file. I'm not sure what conditions associated with the load are causing this, but this can also happen at other times outside of this nightly blast when the CPU's are being pegged.I'm sharing the associated headers and log file entries in the hopes of helping to identify the source of the issue and also potentially resolving it. Here is a copy of each for one such message:HEADERS==Received: from mx1.mailpure.com [208.7.179.200] by mail.mailpure.com with ESMTP (SMTPD32-8.15) id A039545F00E0; Thu, 14 Apr 2005 01:31:37 -0400Received: from DH04 ([###.###.###.###]) by mx1.mailpure.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 14 Apr 2005 01:31:34 -0400Received: from mail pickup service by DH04 with Microsoft SMTPSVC; Thu, 14 Apr 2005 01:30:49 -0400From: <[EMAIL PROTECTED]>To: <[EMAIL PROTECTED]>Subject: Nightly Email update from [Company Name]Date: Thu, 14 Apr 2005 01:30:49 -0400Message-ID: <[EMAIL PROTECTED]>MIME-Version: 1.0Content-Type: multipart/alternative; boundary="=_NextPart_000_0001_01C54091.8C5A7060"X-Mailer: Microsoft CDO for Windows 2000Thread-Index: AcVAsxNWnH6Lzk2RRyizH9lhpqD3BQ==Content-Class: urn:content-classes:messageX-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441X-OriginalArrivalTime: 14 Apr 2005 05:30:49.0363 (UTC) FILETIME=[1DD32E30:01C540B3]Return-Path: [EMAIL PROTECTED]X-MailPure: X-MailPure: FORGEDFROM: Message failed FORGEDFROM test (weight 2).X-MailPure: X-MailPure: Spam Score: 2X-MailPure: Scan Time: 14 Apr 2005 at 01:34:15 -0400X-MailPure: Spool File: D0039545f00e0819a.SMDX-MailPure: Server Name: DH04X-MailPure: SMTP Sender: [EMAIL PROTECTED]X-MailPure: Re