Mailscanner and server load

Martin Hepworth martinh at SOLID-STATE-LOGIC.COM
Fri Aug 27 14:11:28 IST 2004


<x-flowed>
Mike

hmm darn RBL's - up, down, moved :-)

nearest I can find now is....

http://www.rbl.jp/virusrbl-e.html

I'll have a look at see of that rule is being triggered over the last 30
days in my MailWatch DB..

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


Mike Kercher wrote:
> What is this:
>
> header RCVD_IN_VIRBL
> eval:check_rbl('virbl-notfirsthop','virbl.dnsbl.bit.nl')
> describe RCVD_IN_VIRBL VIRBL: Received from a virus infected host tflags
> RCVD_IN_VIRBL net score RCVD_IN_VIRBL 0 3.0 0 3.0
>
> I can't find anything on Google pertaining to virbl.dnsbl.bit.nl
>
> Mike
>
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
> Of Martin Hepworth
> Sent: Friday, August 27, 2004 3:46 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Mailscanner and server load
>
> Hi
>
> load looks a little high for that spec of machine...
>
> make sure you have a caching DNS server on the machine - it makes alot of
> difference to SURBL, easy to setup, I'd do that first.
>
> As to RBL's I run only the spamcop combined list, known virus list and ORB,
> all others are turned off...my spam.assassin.prefs.conf has this in it..
>
> ############################################
> header  RCVD_SPAMHAUS_XBL
> rbleval:check_rbl('spamhaus-xbl','xbl.spamhaus.org.')
> describe RCVD_SPAMHAUS_XBL Found in SpamHaus XBL tflags RCVD_SPAMHAUS_XBL
> net score RCVD_SPAMHAUS_XBL 1.5
>
> header RCVD_IN_VIRBL
> eval:check_rbl('virbl-notfirsthop','virbl.dnsbl.bit.nl')
> describe RCVD_IN_VIRBL VIRBL: Received from a virus infected host tflags
> RCVD_IN_VIRBL net score RCVD_IN_VIRBL 0 3.0 0 3.0
>
> # habeas getting totally abused by the spammers score HABEAS_SWE 0.0
>
> # don't do all the RBL's just orb and spamhause XBL - above score
> RCVD_IN_NJABL 0.0 score RCVD_IN_NJABL_DIALUP 0.0 score RCVD_IN_NJABL_MULTI
> 0.0 score RCVD_IN_NJABL_PROXY 0.0 score RCVD_IN_NJABL_RELAY 0.0 score
> RCVD_IN_NJABL_SPAM 0.0 score RCVD_IN_DYNABLOCK 0.0 score RCVD_IN_OPM 0.0
> score RCVD_IN_OPM_WINGATE 0.0 score RCVD_IN_OPM_SOCKS 0.0 score
> RCVD_IN_OPM_HTTP 0.0 score RCVD_IN_OPM_ROUTER 0.0 score RCVD_IN_SORBS_BLOCK
> 0.0 score RCVD_IN_DSBL 0.0 score RCVD_IN_RFCI 0.0 score DNS_FROM_RFCI_DSN
> 0.0 #score RCVD_IN_SBL 0.0 score HABEAS_VIOLATOR 0.0 score
> RCVD_IN_BSP_TRUSTED 0.0 score RCVD_IN_BSP_OTHER 0.0
> #######################################################################
>
> Doing it this way means you don't take the RBL as a complete blacklist, just
> adds to the score, which helps prevent FPs.
>
> I'd check the MAQ on tuning, esp logging and running a tmpfs for the MS
> tempory files...
>
> Also I check for valid email addresses on the inbound MTA. If it's not
> from/to a valid address it gets rejected (this stops around 2/3's of spam
> before it hits MS, yes 2/3's!!!), and thus reduces load on MS.
>
> Adding RAM will always help..
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
>
>
> kfliong wrote:
>
>>Thanks for the replies guys. I can learn a lot from all your comments.
>>
>>Anyway, here are more info on my system.
>>
>>Around 50,000 mails per day of which 95% are SPAMS. I am currently
>>using list.dsbl.org on my sendmail.cf to which is helping a little to
>>kill off mails before they can come into my server. But it have false
>>identification which is causing some users unable to send mail using
>>SMTP, that's why I need to rely on SURBL and remove dsbl on MTA.
>>
>>I was using only bigevil previously and since SURBL will replace
>>bigevil, I have removed bigevil.
>>
>>A recap of my system specs :
>>
>>Celeron 1.3GHz, 512mb RAM, 60gb hdd, redhat 7.3, mailscanner+SA+clamav
>>(all latest stable version)
>>
>>And I do not run any DNS server. But will do that once I upgraded my
>>box to fedora core 1 and ensim pro 4.0.1.
>>
>>For now, I want to know if I should upgrade to 1GB RAM.
>>
>
> <snip>
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
>
> This footnote confirms that this email message has been swept for the
> presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
> ------------------------ MailScanner list ------------------------ To
> unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and the
> archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>



More information about the MailScanner mailing list