01-16-2008 06:52 PM
Hello,
I've got 2C30s + 1C300 on an ISP network and these are being used for both incoming and outgoing mails.
Recently, we started having performances issues where the workqueue was paused several times daily(reason paused on antivirus,antispam,etc). This eventually causes the workqueue to backup like 10k-20k and the units don't process mails rapidly.
I also noted some viruses(i.e: MyTob) being detected and was wondering whether IronPort/Sophos engine is not being able to scan the messages properly, thus resulting in this huge performance issue.
We also get lots of sophos timeouts daily. it's set to 120 seconds.
RAM comes up to 60%, even if traffic is not that huge.
Has anyone experienced a similar problem?
Thanks,
Vinesh
01-22-2008 07:26 PM
Very large messages or deeply nested messages can take slightly longer to scan. If the appliance receives a string of large/deeply nested messages, it can cause the workqueue to pause for a few minutes. For an ISP or an enterprise company with high mail volume, a backup of 10-20K messages would not be out of the question under these circumstances.
You can check out the mail logs to determine what size/type of messages is causing the unscannables/timeouts.
01-22-2008 07:32 PM
Hi,
Here's a sample of the mail logs.
I did increase/decrease the antivirus timeouts, but no changes.
It seems that it has difficulty scanning the files.
Thu Nov 29 15:43:39 2007 Info: Start MID 233665168 ICID 702663276
Thu Nov 29 15:43:39 2007 Info: MID 233665168 ICID 702663276 From:
Thu Nov 29 15:43:39 2007 Info: MID 233665168 ICID 702663276 RID 0 To:
Thu Nov 29 15:43:47 2007 Info: MID 233665168 Message-ID '<6d9jas>'
Thu Nov 29 15:43:47 2007 Info: MID 233665168 Subject 'Error'
Thu Nov 29 15:43:47 2007 Info: MID 233665168 ready 64728 bytes from
Thu Nov 29 15:44:49 2007 Warning: MID 233665168: scanning error (name=u'doc.scr', type=executable/exe): viewer bailed out
Thu Nov 29 15:44:49 2007 Info: MID 233665168 matched all recipients for per-recipient policy DEFAULT in the outbound table
Thu Nov 29 15:45:03 2007 Info: MID 233665168 interim AV verdict using Sophos VIRAL
Thu Nov 29 15:45:03 2007 Info: MID 233665168 antivirus positive 'W32/Mytob-C'
Thu Nov 29 15:45:03 2007 Info: Message aborted MID 233665168 Dropped by antivirus
Thu Nov 29 15:45:03 2007 Info: Message finished MID 233665168 done
01-23-2008 09:32 AM
The Ironport seems to be scanning the files just fine - quickly picking up they are viral.
Maybe check to see if the virus laden emails are coming internally - if they are - pull the plug on them.
What's your overall message load on those Ironports? If it's a lot, maybe time to buy more.
If they are coming in from the internet - then let the forum know what Senderbase settings you have. Senderbase is a good way to reduce viruses as the infected hosts have low reputation scores.
01-23-2008 10:35 AM
Hi,
Good points noted out.
I would like to inform you that the logs above are outbound. Meaning, from subscribers going out to Internet.
We don't have SBRS configured on the relaylist for subscribers because lots of subscribers have bad SBRS(as they are on ADSL) and they will be blocked.
We do have some loads on the boxes:
Incoming: approx 270k per hour and 5-5.5 million/day on each box
Outgoing: approx 18-20k per day
Also, what worries me is this part of the log:
Warning: MID 233665168: scanning error (name=u'doc.scr', type=executable/exe): viewer bailed out
This is a scanning error which is perhaps causing the workqueue to pause on antivirus service.
Thanks,
Vinesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide