Re: [Declude.JunkMail] declude queue / imail spool problems?
I am having some trouble with my mail server. About once a week, I find my spool folder overflowing. There are usually only about 200 files in that folder, but when this weird thing happens, there are 5000+ in both the spool and in the overflow folder. If there are lots of D*.SMD files in the spool directory, and lots of Q*.SMD files in the overflow directory, then IMail reached its maximum capacity and Declude Queue took over. Without Declude Queue, you would have seen all those files in the spool directory, and they would get sent out more slowly. If I move all the files from the overflow back into the spool, they clear out pretty quickly, but more keep showing up in the overflow at a rate of about 100 per few minutes. What could be causing this? Where do I start to try to figure it out. There is nothing unusual in the imail log and there is nothing about queue in any of the logs. If you run regedit, what is the entry at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SMTPD32\Parameters\MaxQueProc set to? That controls how many processes can be running at once. If your server is capable, you could try increasing that value. Specifically, Declude Queue will start moving those files to the overflow directory when the maximum number of processes is reached (at which point IMail would normally keep the file in the queue, and not even attempt to deliver it until the next queue run, typically 20-30 minutes later). What you really need to do is find out *why* so much E-mail is being sent/received; in many cases, it is a spammer or other undesirable (such as a mail loop). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] declude queue / imail spool problems?
Here's what I did to fix it: 1) I turned off declude junkmail (by renaming the global.cfg file) 2) Moved all the files from the overflow directory to the spool directory They all cleared out and things are back to normal. Now (an hour after i turned junkmail off) I am going to turn junkmail back on and see what happens. From what I could tell, most of the extra email was spam. I could not find any trace of a mail loop, though. Our mail server is a Dell 2450 with 2 866processors and 512mb ram. it has a caching raid controller and some very fast drives. How high do you think I could get away with setting that max processes value? In the imail admin for 7.11 there is an advanced tab under the smtp service. One of the values that can be set there is max processes. Is this the same thing? Thanks, Jim - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 18, 2002 12:37 PM Subject: Re: [Declude.JunkMail] declude queue / imail spool problems? I am having some trouble with my mail server. About once a week, I find my spool folder overflowing. There are usually only about 200 files in that folder, but when this weird thing happens, there are 5000+ in both the spool and in the overflow folder. If there are lots of D*.SMD files in the spool directory, and lots of Q*.SMD files in the overflow directory, then IMail reached its maximum capacity and Declude Queue took over. Without Declude Queue, you would have seen all those files in the spool directory, and they would get sent out more slowly. If I move all the files from the overflow back into the spool, they clear out pretty quickly, but more keep showing up in the overflow at a rate of about 100 per few minutes. What could be causing this? Where do I start to try to figure it out. There is nothing unusual in the imail log and there is nothing about queue in any of the logs. If you run regedit, what is the entry at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SMTPD32\Parameters\MaxQ ueProc set to? That controls how many processes can be running at once. If your server is capable, you could try increasing that value. Specifically, Declude Queue will start moving those files to the overflow directory when the maximum number of processes is reached (at which point IMail would normally keep the file in the queue, and not even attempt to deliver it until the next queue run, typically 20-30 minutes later). What you really need to do is find out *why* so much E-mail is being sent/received; in many cases, it is a spammer or other undesirable (such as a mail loop). -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] declude queue / imail spool problems?
Here's what I did to fix it: 1) I turned off declude junkmail (by renaming the global.cfg file) 2) Moved all the files from the overflow directory to the spool directory They all cleared out and things are back to normal. Now (an hour after i turned junkmail off) I am going to turn junkmail back on and see what happens. Note that you also did something else here -- by turning off Declude JunkMail, you sped up delivery of *new* E-mails, especially if you are using an old spam test that times out (causing the E-mail to be in memory for 10+ extra seconds). That may be a factor. From what I could tell, most of the extra email was spam. It sounds like you may be dealing with a massive distributed spam attack, where a spammer compromises thousands of computers, and sends spam via a dictionary-like attack (sending to thousands and thousands of made-up addresses, hoping a few will receive the E-mail). If you have a nobody alias, this can shut down your server. Our mail server is a Dell 2450 with 2 866processors and 512mb ram. it has a caching raid controller and some very fast drives. How high do you think I could get away with setting that max processes value? It's impossible to say -- only trial and error will tell for sure. The problem is that Microsoft doesn't document the pertinent information about the problem. The problem is that if you go too high, Microsoft will run out of a special type of memory and choke, causing all new processes to fail upon loading. With the best information we can get from Microsoft, it shouldn't be possible for this to happen with recent versions of Declude (although it definitely will happen without Declude). A value of 30 is the default, so if it is lower, you should be able to raise it to 30 with no problem. In the imail admin for 7.11 there is an advanced tab under the smtp service. One of the values that can be set there is max processes. Is this the same thing? Ah, yes -- I forgot about that (a nice new feature). That is the same thing. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] declude queue / imail spool problems?
I turned it back on and the number of files in the spool started growing at a very fast pace. I'm running declude v1.53 if that helps. We do get lots of dictionary attacks, but they don't actually get in as files do they? don't the emails to bogus users get rejected before they are written to a file? The part about dead tests sounds interesting. Below is a list of the tests that I am running... Thanks, Jim #ORBZIN ip4r inputs.orbz.org 127.0.0.2 5 0 #ORBZOUT ip4r outputs.orbz.org 127.0.0.2 5 0 ORDB ip4r relays.ordb.org * 14 0 OSDUL ip4rrelays.osirusoft.com 127.0.0.3 15 0 OSFORM ip4rrelays.osirusoft.com 127.0.0.8 15 0 OSLIST ip4rrelays.osirusoft.com 127.0.0.7 15 0 OSRELAY ip4rrelays.osirusoft.com 127.0.0.2 14 0 OSSMART ip4rrelays.osirusoft.com 127.0.0.5 15 0 OSSOFT ip4rrelays.osirusoft.com 127.0.0.6 15 0 OSSRC ip4rrelays.osirusoft.com 127.0.0.4 15 0 SPAMCOP ip4r bl.spamcop.net 127.0.0.2 25 0 DSN rhsbl dsn.rfc-ignorant.org 127.0.0.2 15 0 NOABUSE rhsbl abuse.rfc-ignorant.org 127.0.0.4 15 0 NOPOSTMASTER rhsbl postmaster.rfc-ignorant.org 127.0.0.3 15 0 ADULT adult x x 30 0 BADHEADERS badheaders x x 10 0 MAILFROMenvfrom x x 15 0 PERCENT percent x x 15 0 REVDNS revdnsexists x x 15 0 ROUTING spamrouting x x 15 0 SPAMHEADERS spamheaders x x 15 0 SNIFFER external nonzero e:\imail\declude\Sniffer\sniffer.exe 29 0 WEIGHT weight x x 30 0 - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 18, 2002 12:59 PM Subject: Re: [Declude.JunkMail] declude queue / imail spool problems? Here's what I did to fix it: 1) I turned off declude junkmail (by renaming the global.cfg file) 2) Moved all the files from the overflow directory to the spool directory They all cleared out and things are back to normal. Now (an hour after i turned junkmail off) I am going to turn junkmail back on and see what happens. Note that you also did something else here -- by turning off Declude JunkMail, you sped up delivery of *new* E-mails, especially if you are using an old spam test that times out (causing the E-mail to be in memory for 10+ extra seconds). That may be a factor. From what I could tell, most of the extra email was spam. It sounds like you may be dealing with a massive distributed spam attack, where a spammer compromises thousands of computers, and sends spam via a dictionary-like attack (sending to thousands and thousands of made-up addresses, hoping a few will receive the E-mail). If you have a nobody alias, this can shut down your server. Our mail server is a Dell 2450 with 2 866processors and 512mb ram. it has a caching raid controller and some very fast drives. How high do you think I could get away with setting that max processes value? It's impossible to say -- only trial and error will tell for sure. The problem is that Microsoft doesn't document the pertinent information about the problem. The problem is that if you go too high, Microsoft will run out of a special type of memory and choke, causing all new processes to fail upon loading. With the best information we can get from Microsoft, it shouldn't be possible for this to happen with recent versions of Declude (although it definitely will happen without Declude). A value of 30 is the default, so if it is lower, you should be able to raise it to 30 with no problem. In the imail admin for 7.11 there is an advanced tab under the smtp service. One of the values that can be set there is max processes. Is this the same thing? Ah, yes -- I forgot about that (a nice new feature). That is the same thing. -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] declude queue / imail spool problems?
We do get lots of dictionary attacks, but they don't actually get in as files do they? That depends. If you have a nobody alias, they do come in as files, and are processed by Declude. If you do not have a nobody alias, then they will not be processed (by IMail or Declude). don't the emails to bogus users get rejected before they are written to a file? Yes -- if there is no nobody alias. The part about dead tests sounds interesting. Below is a list of the tests that I am running... All of those tests are still around, so that shouldn't account for the problem. Have you tried looking at the logs to see why there is so much mail? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
Re: [Declude.JunkMail] declude queue / imail spool problems?
OK, I confirmed that there are no nobody aliases. I will start pouring through the logs... is there a program that would make that any easier? Thanks, Jim - Original Message - From: R. Scott Perry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 18, 2002 1:54 PM Subject: Re: [Declude.JunkMail] declude queue / imail spool problems? We do get lots of dictionary attacks, but they don't actually get in as files do they? That depends. If you have a nobody alias, they do come in as files, and are processed by Declude. If you do not have a nobody alias, then they will not be processed (by IMail or Declude). don't the emails to bogus users get rejected before they are written to a file? Yes -- if there is no nobody alias. The part about dead tests sounds interesting. Below is a list of the tests that I am running... All of those tests are still around, so that shouldn't account for the problem. Have you tried looking at the logs to see why there is so much mail? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com . --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
