Which SA rule set considered "Best Practice"?

Matt Kettler mkettler at EVI-INC.COM
Sat Feb 21 00:10:40 GMT 2004

At 06:37 PM 2/20/2004, Michael St. Laurent wrote:
>We're still getting more spam slipping through than I would like and was
>wondering which of the additional rule sets are recommended.  I've installed
>the fetch scripts for both the bigevil and backhair rule sets so far.
>Suggestions please?

Disclaimer of bias: I'm one of the add-on ruleset writers... I wrote

Personally I think your best bet prior to using add on rulesets is to get
all of the features of the default SA system working well.

         1) Enable DNSBLs by installing Net::DNS.

         2) Enable bayes by feeding sa-learn.. Feed it well, and feed it
often. Mine gets fed a diet of about 100 fresh spams/day and about 20
nonspams/day. A good regiment of feeding bayes with input from spamtraps
and such is very helpful.

         3) Consider installing DCC.. DCC works pretty well and is pretty
lightweight. Razor is more accurate, but seems prone to more network timeouts.

As for add-on rules, I don't use that many, despite being a add-on set writer.

  "Best practice" would be to be very cautious when using them, and test
them out with very low scores to start.

If you want to know what I'm using:

Obviously I use my own antidrug.cf, but that's mostly done as a giant rude
gesture in the direction of the pill spammers who have been so aggressive
lately. I also use a pair of rules which is a collapsed version of Jen's

         describe LOCAL_POPCORN  1-5 letters - hidden tag - 1-7 letters
         rawbody     LOCAL_POPCORN  /[>\s]\w{1,5}<\![^>]*>\w{1,7}\W/i

         describe LOCAL_POPCORN2  1-5 letters - hidden tag - 1-7 letters
         rawbody     LOCAL_POPCORN2  /[>\s]\w{1,5}<\/\w{2,10}>\w{1,7}\b/i

I also find this useful:
         body LOCAL_MEDS /\bmed[sz]\b/i

and this:

And that's about it.. other than a bunch of goofball test rules floating
around. I've also been playing with the FVGT_s_OBFU_* rules.

The SA wiki has a pretty comprehensive list of the add-on sets if you need
a list of them. Just remember, when in doubt, test with low scores!


More information about the MailScanner mailing list