Which SARE Rules?

Matt Kettler mkettler at EVI-INC.COM
Tue Nov 8 23:05:42 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Peter Russell wrote:
> Sorry for replying my pown post.
> 
> I figured out i need to upgrade my ruledujour it was a little old. I
> hadd the following rulesets and now, immedietly after doing so sa --lint
> test take 40sec+ I am using a dual 3ghz/2GB ram machine.
> 
> TRUSTED_RULESETS="TRIPWIRE SARE_EVILNUMBERS0 SARE_EVILNUMBERS1
> SARE_EVILNUMBERS2 BLACKLIST BLACKLIST_URI SARE_BML SARE_OEM SARE_HEADER
> SARE_HTML0 SARE_RANDOM SARE_REDIRECT_POST300 SARE_FRAUD BOGUSVIRUS
> SARE_BAYES_POISON_NXM SARE_ADULT SARE_SPOOF SARE_SPECIFIC SARE_UNSUB
> SARE_URI0 SARE_URI1 SARE_OBFU0 SARE_GENLSUBJ0 SARE_WHITELIST
> SARE_WHITELIST_RCVD SARE_WHITELIST_SPF ZMI_GERMAN"
> 
> 
> The worst offenders in the mailwatch lint test results are
> [22908] dbg: eval: all '*To' addrs:  5.02445
> [22908] dbg: plugin:
> Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x98a1f34) implements
> 'finish_parsing_end' 26.05115
> 
> Any ideas on getting better performance, or is this part of using all
> these rules? Which woiuld be the best ones to drop to improve perfromance?
> 

It could be an effect of using all those rules, or it could be an effect of
really slow DNS.

Some quick checks:

compare time spamassassin --lint to time spamassassin -L --lint

If these are substantially different on the first shot, your problem is likely
network test related.

If repeated calls of the -L version are consistently slower than repeated calls
of the non -L version, you have slow access to a DNS server and should consider
a local caching DNS on the same box.


If the two are the same, or close, but consistently high your problem lies in
static rules. Try removing a few rulesets (note: you have to physically move
them out of /etc/mail/spamassassin to disable them). I'd suggest looking at the
size of the rulefiles and picking the largest ones as targets.

For what it's worth I use the following SARE style rulesets:
-rw-r--r--    1 root     root        31854 Sep 16 14:40 70_sare_adult.cf
-rw-r--r--    1 root     root        24246 Sep 16 14:40 70_sare_evilnum0.cf
-rw-r--r--    1 root     root         1574 Sep 16 14:40 70_sare_evilnum1.cf
-rw-r--r--    1 root     root        45972 Oct 25 18:20 70_sare_genlsubj0.cf
-rw-r--r--    1 root     root        51886 Oct 12 21:30 70_sare_obfu0.cf
-rw-r--r--    1 root     root        17821 Oct 25 18:16 70_sare_random.cf
-rw-r--r--    1 root     root        70262 Oct 25 18:15 70_sare_specific.cf
-rw-r--r--    1 root     root        17879 Oct 12 21:33 70_sare_uri0.cf
-rw-r--r--    1 root     root         1466 Sep 16 14:40 71_sare_adult_rescore.cf
-rw-r--r--    1 root     root        57580 Sep 16 14:40 99_FVGT_Tripwire.cf
-rw-r--r--    1 root     root        10231 Sep 16 14:40 99_sare_fraud_post25x.cf


along with about 15 local rule files, most of which are about 1k, but one is 10k.

My --lint times are about 8.5 sec.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list