RE: [Declude.Virus] w32/Sober.O virus
Thanks Matt, I implemented the Viruscode 8. Yesterday I was still having over 3000 emails in the overflow folder. I had to do some tasks to manage things, even though my client was fixing their machines at their end. I Created a kill list in Imail with the most common from addresses the virus/emails where using.-Hostmaster at hotmail.com for example-. I updated rules.ima in my clients domains deleting emails with particular subjects or having particular attachments (Sober.O subjects and attachments) Just in case, I used the banname feature Declude- to make sure the Sober attachments were deleted. I also took my chances incrementing Declude processes in small numbers and got to 50. server behaved very well and overflow folder started to decrease in terms of the amount of emails. Today was a very smooth day. Now I am just thinking about something that is knocking in my head: I manage 25K emails per day, 200 + domains and 3500 users. It is not a big installation compared with what I have read on Imail and Declude lists. But what worries me is that my server/imail/declude box was overflowed with 3000 emails, so I dont get the picture of how we can handle 100K emails per day with 500 domains and 12K users. My server is a Xeon 2.4 Ghz with 1 gig in RAM W2K-. should I need a better and more powerful server? PD: By the way, what about changing to Smartmail, does Smartmail handle my load without problems? Regards -Luis Arango From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Miércoles, 04 de Mayo de 2005 12:05 a.m. To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] w32/Sober.O virus Luis, If you are seeing 100% CPU utilization and timeouts in your Declude Virus log, you would be best served by reducing the number of simultaneous processes instead of increasing them. If you increase them, you run the risk of causing more timeouts. Your F-Prot config looks to be normal, but you need to add the following line in order to stop some recent viruses that F-Prot is returning a code 8 when detected: VIRUSCODE1 8 Considering that you attributed 80% to just one client, and it appears that they had a big infection, that would explain why you are seeing this sort of traffic but others like myself are not. Seems like you have a good handle on things now. Good luck, Matt Panda Consulting S.A. Luis Alberto Arango wrote: Matt and Dave: First of all thank you very much for answering my post. I am using fpcmd.exeHere is my config lines, in case I am missing some important switch.SCANFILE1 D:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5/NOBOOT /DUMB /REPORT=report.txtVIRUSCODE1 3VIRUSCODE1 6REPORT1 Infection:Any way, I already contacted one of my clients who's IP is sending lots andlots of emails with virus to our mail server. I believe they are sendingprobably 80% of the virus I am getting.He confirmed that they were infected and that they are running a clean uptask. They have over 600 computers so it takes quite some time to make surethey are all clean.I am also narrowing other IPs to contact the owners.Besides, Declude is running 25 simultaneously -default-. If tomorrow I getoverflow messages I will increase the number of processes in the declude.cfgfile to see if that improves the delivery. I just have to make sure I don'tcrash the server. I may also increase the number of Imail threads to 40 or50By the way I found interesting and useful support text regarding delayeddelivery herehttp://www.declude.com/help_answer.asp?ID=122-Imail's SMTP Sending Architecture-Again thanks for your help -Luis Arango -Original Message-From: [EMAIL PROTECTED] [mailto:Declude.Virus-[EMAIL PROTECTED]] On Behalf Of MattSent: Martes, 03 de Mayo de 2005 09:07 p.m.To: Declude.Virus@declude.comSubject: Re: [Declude.Virus] w32/Sober.O virusIf you aren't running fpcmd.exe as Dave suggested, that would definitelybe the first place to start. You need to purchase F-Prot instead ofusing the free DOS scanner to get fpcmd.exe.This is not normal behavior for Sober, but I have seen some viruses getreally bursty. For instance, one client that has a massive newsletterwould get hammered by viruses because of harvesting of their addressesfrom the newsletter. Some viruses also can hammer you with huge volumefrom a single computer. You might want to look at the IP's that aresending the viruses and see if these can be narrowed down to just a fewcomputers for the bulk of the messages.Aside from that, Declude JunkMail is generally leaner than DecludeVirus, and you might get a boost by having Declude JunkMail run first,where many of the viruses would be blocked and then wouldn't need to bevirus scanned. You would need to be deleting the spams for them to notget scanned by Declude Virus however, maybe Hold also prevents it, butI'm pretty sure that the other actions will still result in them beingvirus scanned under
RE: [Declude.Virus] w32/Sober.O virus
Are you running the fpcmd.exe version of the fprot scanner? If not, you will see these sorts of delays. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Panda Consulting S.A. Luis Alberto Arango Sent: Tuesday, May 03, 2005 6:00 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] w32/Sober.O virus FYI: Today we were flooded with a massive incoming emails containing Sober.O (f-prot) virus. We receive aprox 15% of viruses out of all the emails we process. Today the figure raised to almost 40%. It fulfilled the overflow folder and there were delays of about 2 to 5 hours to deliver non-virus emails We received the first email with virus at 12 (noon) may 2. Our f-prot signature files were not updated -we update every 4 hours- and we let 27 emails with viruses passed through. There was nothing we could do about it. The virus was discovered the same day by Symantec, F-prot and others. Our F-prot received signature files at 1:30 pm and from that time on we have catched about 9000 emails out 30,000 The folder is full with 3000 emails and is not able to be handled as fast as we would want with declude/f-prot. Q: Is there something we can do to avoid such delays delivering emails other than use Imail Kill list, catching the computers delivering the viruses and moving to a strongest server. Bye -Luis Arango __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] w32/Sober.O virus
If you aren't running fpcmd.exe as Dave suggested, that would definitely be the first place to start. You need to purchase F-Prot instead of using the free DOS scanner to get fpcmd.exe. This is not normal behavior for Sober, but I have seen some viruses get really bursty. For instance, one client that has a massive newsletter would get hammered by viruses because of harvesting of their addresses from the newsletter. Some viruses also can hammer you with huge volume from a single computer. You might want to look at the IP's that are sending the viruses and see if these can be narrowed down to just a few computers for the bulk of the messages. Aside from that, Declude JunkMail is generally leaner than Declude Virus, and you might get a boost by having Declude JunkMail run first, where many of the viruses would be blocked and then wouldn't need to be virus scanned. You would need to be deleting the spams for them to not get scanned by Declude Virus however, maybe Hold also prevents it, but I'm pretty sure that the other actions will still result in them being virus scanned under this alternative configuration. This is also much more beneficial when you run multiple virus scanners since more CPU can be saved this way. F-Prot is generally very efficient. Matt Panda Consulting S.A. Luis Alberto Arango wrote: FYI: Today we were flooded with a massive incoming emails containing Sober.O (f-prot) virus. We receive aprox 15% of viruses out of all the emails we process. Today the figure raised to almost 40%. It fulfilled the overflow folder and there were delays of about 2 to 5 hours to deliver non-virus emails We received the first email with virus at 12 (noon) may 2. Our f-prot signature files were not updated -we update every 4 hours- and we let 27 emails with viruses passed through. There was nothing we could do about it. The virus was discovered the same day by Symantec, F-prot and others. Our F-prot received signature files at 1:30 pm and from that time on we have catched about 9000 emails out 30,000 The folder is full with 3000 emails and is not able to be handled as fast as we would want with declude/f-prot. Q: Is there something we can do to avoid such delays delivering emails other than use Imail Kill list, catching the computers delivering the viruses and moving to a strongest server. Bye -Luis Arango __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] w32/Sober.O virus
Matt and Dave: First of all thank you very much for answering my post. I am using fpcmd.exe Here is my config lines, in case I am missing some important switch. SCANFILE1 D:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 REPORT1Infection: Any way, I already contacted one of my clients who's IP is sending lots and lots of emails with virus to our mail server. I believe they are sending probably 80% of the virus I am getting. He confirmed that they were infected and that they are running a clean up task. They have over 600 computers so it takes quite some time to make sure they are all clean. I am also narrowing other IPs to contact the owners. Besides, Declude is running 25 simultaneously -default-. If tomorrow I get overflow messages I will increase the number of processes in the declude.cfg file to see if that improves the delivery. I just have to make sure I don't crash the server. I may also increase the number of Imail threads to 40 or 50 By the way I found interesting and useful support text regarding delayed delivery here http://www.declude.com/help_answer.asp?ID=122 -Imail's SMTP Sending Architecture- Again thanks for your help -Luis Arango -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED] On Behalf Of Matt Sent: Martes, 03 de Mayo de 2005 09:07 p.m. To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] w32/Sober.O virus If you aren't running fpcmd.exe as Dave suggested, that would definitely be the first place to start. You need to purchase F-Prot instead of using the free DOS scanner to get fpcmd.exe. This is not normal behavior for Sober, but I have seen some viruses get really bursty. For instance, one client that has a massive newsletter would get hammered by viruses because of harvesting of their addresses from the newsletter. Some viruses also can hammer you with huge volume from a single computer. You might want to look at the IP's that are sending the viruses and see if these can be narrowed down to just a few computers for the bulk of the messages. Aside from that, Declude JunkMail is generally leaner than Declude Virus, and you might get a boost by having Declude JunkMail run first, where many of the viruses would be blocked and then wouldn't need to be virus scanned. You would need to be deleting the spams for them to not get scanned by Declude Virus however, maybe Hold also prevents it, but I'm pretty sure that the other actions will still result in them being virus scanned under this alternative configuration. This is also much more beneficial when you run multiple virus scanners since more CPU can be saved this way. F-Prot is generally very efficient. Matt Panda Consulting S.A. Luis Alberto Arango wrote: FYI: Today we were flooded with a massive incoming emails containing Sober.O (f-prot) virus. We receive aprox 15% of viruses out of all the emails we process. Today the figure raised to almost 40%. It fulfilled the overflow folder and there were delays of about 2 to 5 hours to deliver non-virus emails We received the first email with virus at 12 (noon) may 2. Our f-prot signature files were not updated -we update every 4 hours- and we let 27 emails with viruses passed through. There was nothing we could do about it. The virus was discovered the same day by Symantec, F-prot and others. Our F-prot received signature files at 1:30 pm and from that time on we have catched about 9000 emails out 30,000 The folder is full with 3000 emails and is not able to be handled as fast as we would want with declude/f-prot. Q: Is there something we can do to avoid such delays delivering emails other than use Imail Kill list, catching the computers delivering the viruses and moving to a strongest server. Bye -Luis Arango __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra
Re: [Declude.Virus] w32/Sober.O virus
Luis, If you are seeing 100% CPU utilization and timeouts in your Declude Virus log, you would be best served by reducing the number of simultaneous processes instead of increasing them. If you increase them, you run the risk of causing more timeouts. Your F-Prot config looks to be normal, but you need to add the following line in order to stop some recent viruses that F-Prot is returning a code 8 when detected: VIRUSCODE1 8 Considering that you attributed 80% to just one client, and it appears that they had a big infection, that would explain why you are seeing this sort of traffic but others like myself are not. Seems like you have a good handle on things now. Good luck, Matt Panda Consulting S.A. Luis Alberto Arango wrote: Matt and Dave: First of all thank you very much for answering my post. I am using fpcmd.exe Here is my config lines, in case I am missing some important switch. SCANFILE1 D:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE=5 /NOBOOT /DUMB /REPORT=report.txt VIRUSCODE1 3 VIRUSCODE1 6 REPORT1Infection: Any way, I already contacted one of my clients who's IP is sending lots and lots of emails with virus to our mail server. I believe they are sending probably 80% of the virus I am getting. He confirmed that they were infected and that they are running a clean up task. They have over 600 computers so it takes quite some time to make sure they are all clean. I am also narrowing other IPs to contact the owners. Besides, Declude is running 25 simultaneously -default-. If tomorrow I get overflow messages I will increase the number of processes in the declude.cfg file to see if that improves the delivery. I just have to make sure I don't crash the server. I may also increase the number of Imail threads to 40 or 50 By the way I found interesting and useful support text regarding delayed delivery here http://www.declude.com/help_answer.asp?ID=122 -Imail's SMTP Sending Architecture- Again thanks for your help -Luis Arango -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.Virus- [EMAIL PROTECTED]] On Behalf Of Matt Sent: Martes, 03 de Mayo de 2005 09:07 p.m. To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] w32/Sober.O virus If you aren't running fpcmd.exe as Dave suggested, that would definitely be the first place to start. You need to purchase F-Prot instead of using the free DOS scanner to get fpcmd.exe. This is not normal behavior for Sober, but I have seen some viruses get really bursty. For instance, one client that has a massive newsletter would get hammered by viruses because of harvesting of their addresses from the newsletter. Some viruses also can hammer you with huge volume from a single computer. You might want to look at the IP's that are sending the viruses and see if these can be narrowed down to just a few computers for the bulk of the messages. Aside from that, Declude JunkMail is generally leaner than Declude Virus, and you might get a boost by having Declude JunkMail run first, where many of the viruses would be blocked and then wouldn't need to be virus scanned. You would need to be deleting the spams for them to not get scanned by Declude Virus however, maybe Hold also prevents it, but I'm pretty sure that the other actions will still result in them being virus scanned under this alternative configuration. This is also much more beneficial when you run multiple virus scanners since more CPU can be saved this way. F-Prot is generally very efficient. Matt Panda Consulting S.A. Luis Alberto Arango wrote: FYI: Today we were flooded with a massive incoming emails containing Sober.O (f-prot) virus. We receive aprox 15% of viruses out of all the emails we process. Today the figure raised to almost 40%. It fulfilled the overflow folder and there were delays of about 2 to 5 hours to deliver non-virus emails We received the first email with virus at 12 (noon) may 2. Our f-prot signature files were not updated -we update every 4 hours- and we let 27 emails with viruses passed through. There was nothing we could do about it. The virus was discovered the same day by Symantec, F-prot and others. Our F-prot received signature files at 1:30 pm and from that time on we have catched about 9000 emails out 30,000 The folder is full with 3000 emails and is not able to be handled as fast as we would want with declude/f-prot. Q: Is there something we can do to avoid such delays delivering emails other than use Imail Kill list, catching the computers delivering the viruses and moving to a strongest server. Bye -Luis Arango __ [Email scanned for viruses by Panda Consulting -www.pandacons.com-] [Email escaneado contra virus por Panda Consulting -www.pandacons.com-] --- This E-mail came