RE: New virus and post.office issues

The filters look like the issue.  I had a Novarg body filter that was to blame. 
 I should have know better.

The MRTG plots are proof enough:

http://mrtg.orourke.ca/firewall/cpu.html
http://mrtg.wavefront.ca/freya/cpu.html

Dan

> -----Original Message-----
> From: DC [mailto:dan.newsletter@xxxxxxxxxxx]
> Sent: Thursday, January 29, 2004 10:02 AM
> To: post_office@xxxxxxxxxxxxxxx
> Subject: Re: New virus and post.office issues
> 
> 
> I had a similar sequence of events this past weekend (unrelated , I think,
> to the mydoom). Time-outs, slowdowns, stacking, the lot!
> 
> I rebooted. Then, I told PO to only accept 5 SMTP-Accepts (so it would still
> chug away, but it would let me work on filters). Then I took down the
> filters one by one. As the last filter was removed, the dam broke and PO
> seemed to come alive again. I put the SMTP-Accepts up to 40 and went to bed.
> In the morning, everyone had a lot more spam, but PO was back in gear.
> 
> I also found another way to give PO some breathing room is to block port 25
> with your firewall. This will let PO recover so filter removal is faster. I
> didn't try that tip so YMMV.
> 
> This is drastic and may not be the solution for you, but it worked for me.
> We had about 10 filters and I am slowly reconstructing them to give our
> users spam protection again. If only the PO filter interface had ON/OFF
> checkboxes! Then you could switch off the filter without DESTROYING it. Ugh.
> Pipe dreams.
> 
> dan
> 
> On 1/29/04 11:43 AM, "Dan Tappin" <dan.tappin@xxxxxxxxxxxxxxx> wrote:
> 
> > I seem to be having some serious network / virus / post.office issues the 
> > past
> > few days.
> > 
> > I am the admin here at our PC based office (50 desktops) with a Linux
> > fileserver and a G4 gateway server running PO, Apache, NAT
> > etc. sharing our DSL line.
> > 
> > Here are my signs and symptoms:
> > 
> > - possible desktops infected with the Novarg virus
> > - PO stops responding to connections after an undetermined time (connection
> > lost and timeout errors)
> > - mail is 'stuck' in Outlook and Apple mail clients
> > - STMP-Accept processes are stacking up all the time
> > - stopping and restarting PO seems to be one only way to fix it 
> > (temporarily)
> > - attachments seem to aggravate the situation
> > - CPU usage is being used steady (see following MRTG sites):
> > 
> > Primary Mail Server:
> > 
> > http://mrtg.orourke.ca/firewall/
> > 
> > Secondary Mail Server:
> > 
> > http://mrtg.wavefront.ca/freya/
> > 
> > I am running spamassassin and I have FirewalkX firewall on these systems.
> > 
> > This is ugly.  I am not sure where to start.  Can anyone recommend a better
> > firewall solution?  I think this crap should be blocked
> > at the TCP/IP level and should never even see the mail server.
> > 
> > Is there a way to monitor the network and identify rouge systems that are
> > infected?  I did track down one via the pologs (250+ lost
> > connections over the day).
> > 
> > Dan
> > 
> > ---------
> > Tenon Intersystems' Post.Office Mailing List
> > To unsubscribe: send mailto:post_office-request@xxxxxxxxxxxxxxx
> > with the body only containing:
> > unsubscribe
> > Find the searchable mailing list archives at:
> > http://postoffice.computeroil.com/
> 
> ---------
> Tenon Intersystems' Post.Office Mailing List
> To unsubscribe: send mailto:post_office-request@xxxxxxxxxxxxxxx
> with the body only containing: 
> unsubscribe
> Find the searchable mailing list archives at:
> http://postoffice.computeroil.com/
---------
Tenon Intersystems' Post.Office Mailing List
To unsubscribe: send mailto:post_office-request@xxxxxxxxxxxxxxx
with the body only containing: 
unsubscribe
Find the searchable mailing list archives at:
http://postoffice.computeroil.com/