Mailscanner and server load

Mike Kercher mike at CAMAROSS.NET
Fri Aug 27 13:50:29 IST 2004 

What is this:

header RCVD_IN_VIRBL
eval:check_rbl('virbl-notfirsthop','virbl.dnsbl.bit.nl')
describe RCVD_IN_VIRBL VIRBL: Received from a virus infected host tflags
RCVD_IN_VIRBL net score RCVD_IN_VIRBL 0 3.0 0 3.0

I can't find anything on Google pertaining to virbl.dnsbl.bit.nl

Mike


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Martin Hepworth
Sent: Friday, August 27, 2004 3:46 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Mailscanner and server load

Hi

load looks a little high for that spec of machine...

make sure you have a caching DNS server on the machine - it makes alot of
difference to SURBL, easy to setup, I'd do that first.

As to RBL's I run only the spamcop combined list, known virus list and ORB,
all others are turned off...my spam.assassin.prefs.conf has this in it..

############################################
header  RCVD_SPAMHAUS_XBL
rbleval:check_rbl('spamhaus-xbl','xbl.spamhaus.org.')
describe RCVD_SPAMHAUS_XBL Found in SpamHaus XBL tflags RCVD_SPAMHAUS_XBL
net score RCVD_SPAMHAUS_XBL 1.5

header RCVD_IN_VIRBL
eval:check_rbl('virbl-notfirsthop','virbl.dnsbl.bit.nl')
describe RCVD_IN_VIRBL VIRBL: Received from a virus infected host tflags
RCVD_IN_VIRBL net score RCVD_IN_VIRBL 0 3.0 0 3.0

# habeas getting totally abused by the spammers score HABEAS_SWE 0.0

# don't do all the RBL's just orb and spamhause XBL - above score
RCVD_IN_NJABL 0.0 score RCVD_IN_NJABL_DIALUP 0.0 score RCVD_IN_NJABL_MULTI
0.0 score RCVD_IN_NJABL_PROXY 0.0 score RCVD_IN_NJABL_RELAY 0.0 score
RCVD_IN_NJABL_SPAM 0.0 score RCVD_IN_DYNABLOCK 0.0 score RCVD_IN_OPM 0.0
score RCVD_IN_OPM_WINGATE 0.0 score RCVD_IN_OPM_SOCKS 0.0 score
RCVD_IN_OPM_HTTP 0.0 score RCVD_IN_OPM_ROUTER 0.0 score RCVD_IN_SORBS_BLOCK
0.0 score RCVD_IN_DSBL 0.0 score RCVD_IN_RFCI 0.0 score DNS_FROM_RFCI_DSN
0.0 #score RCVD_IN_SBL 0.0 score HABEAS_VIOLATOR 0.0 score
RCVD_IN_BSP_TRUSTED 0.0 score RCVD_IN_BSP_OTHER 0.0
#######################################################################

Doing it this way means you don't take the RBL as a complete blacklist, just
adds to the score, which helps prevent FPs.

I'd check the MAQ on tuning, esp logging and running a tmpfs for the MS
tempory files...

Also I check for valid email addresses on the inbound MTA. If it's not
from/to a valid address it gets rejected (this stops around 2/3's of spam
before it hits MS, yes 2/3's!!!), and thus reduces load on MS.

Adding RAM will always help..

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


kfliong wrote:
> Thanks for the replies guys. I can learn a lot from all your comments.
>
> Anyway, here are more info on my system.
>
> Around 50,000 mails per day of which 95% are SPAMS. I am currently
> using list.dsbl.org on my sendmail.cf to which is helping a little to
> kill off mails before they can come into my server. But it have false
> identification which is causing some users unable to send mail using
> SMTP, that's why I need to rely on SURBL and remove dsbl on MTA.
>
> I was using only bigevil previously and since SURBL will replace
> bigevil, I have removed bigevil.
>
> A recap of my system specs :
>
> Celeron 1.3GHz, 512mb RAM, 60gb hdd, redhat 7.3, mailscanner+SA+clamav
> (all latest stable version)
>
> And I do not run any DNS server. But will do that once I upgraded my
> box to fedora core 1 and ensim pro 4.0.1.
>
> For now, I want to know if I should upgrade to 1GB RAM.
>
<snip>

**********************************************************************

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.

This footnote confirms that this email message has been swept for the
presence of computer viruses and is believed to be clean.

**********************************************************************

------------------------ MailScanner list ------------------------ To
unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and the
archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

More information about the MailScanner mailing list