Which SARE Rules?
Matt Kettler
mkettler at EVI-INC.COM
Tue Nov 8 23:05:42 GMT 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Peter Russell wrote:
> Sorry for replying my pown post.
>
> I figured out i need to upgrade my ruledujour it was a little old. I
> hadd the following rulesets and now, immedietly after doing so sa --lint
> test take 40sec+ I am using a dual 3ghz/2GB ram machine.
>
> TRUSTED_RULESETS="TRIPWIRE SARE_EVILNUMBERS0 SARE_EVILNUMBERS1
> SARE_EVILNUMBERS2 BLACKLIST BLACKLIST_URI SARE_BML SARE_OEM SARE_HEADER
> SARE_HTML0 SARE_RANDOM SARE_REDIRECT_POST300 SARE_FRAUD BOGUSVIRUS
> SARE_BAYES_POISON_NXM SARE_ADULT SARE_SPOOF SARE_SPECIFIC SARE_UNSUB
> SARE_URI0 SARE_URI1 SARE_OBFU0 SARE_GENLSUBJ0 SARE_WHITELIST
> SARE_WHITELIST_RCVD SARE_WHITELIST_SPF ZMI_GERMAN"
>
>
> The worst offenders in the mailwatch lint test results are
> [22908] dbg: eval: all '*To' addrs: 5.02445
> [22908] dbg: plugin:
> Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x98a1f34) implements
> 'finish_parsing_end' 26.05115
>
> Any ideas on getting better performance, or is this part of using all
> these rules? Which woiuld be the best ones to drop to improve perfromance?
>
It could be an effect of using all those rules, or it could be an effect of
really slow DNS.
Some quick checks:
compare time spamassassin --lint to time spamassassin -L --lint
If these are substantially different on the first shot, your problem is likely
network test related.
If repeated calls of the -L version are consistently slower than repeated calls
of the non -L version, you have slow access to a DNS server and should consider
a local caching DNS on the same box.
If the two are the same, or close, but consistently high your problem lies in
static rules. Try removing a few rulesets (note: you have to physically move
them out of /etc/mail/spamassassin to disable them). I'd suggest looking at the
size of the rulefiles and picking the largest ones as targets.
For what it's worth I use the following SARE style rulesets:
-rw-r--r-- 1 root root 31854 Sep 16 14:40 70_sare_adult.cf
-rw-r--r-- 1 root root 24246 Sep 16 14:40 70_sare_evilnum0.cf
-rw-r--r-- 1 root root 1574 Sep 16 14:40 70_sare_evilnum1.cf
-rw-r--r-- 1 root root 45972 Oct 25 18:20 70_sare_genlsubj0.cf
-rw-r--r-- 1 root root 51886 Oct 12 21:30 70_sare_obfu0.cf
-rw-r--r-- 1 root root 17821 Oct 25 18:16 70_sare_random.cf
-rw-r--r-- 1 root root 70262 Oct 25 18:15 70_sare_specific.cf
-rw-r--r-- 1 root root 17879 Oct 12 21:33 70_sare_uri0.cf
-rw-r--r-- 1 root root 1466 Sep 16 14:40 71_sare_adult_rescore.cf
-rw-r--r-- 1 root root 57580 Sep 16 14:40 99_FVGT_Tripwire.cf
-rw-r--r-- 1 root root 10231 Sep 16 14:40 99_sare_fraud_post25x.cf
along with about 15 local rule files, most of which are about 1k, but one is 10k.
My --lint times are about 8.5 sec.
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list