Which SARE Rules?

Peter Russell pete at ENITECH.COM.AU
Tue Nov 8 23:49:33 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Thanks Matt. Like you said, i moved all the cf files out one at a time 
until i found the culprit. I found it was the blacklist and 
blacklist_uri rules sets causing the issues. Lint test is back down to 
less than 8sec.

DNS is a win2k server that is under powered, over loaded and about to be 
decommissioned. But have always had heaps of issues settibng up a cache 
in this network, another time maybe.
Thanks very much
Pete

Matt Kettler wrote:
> Peter Russell wrote:
> 
>>Sorry for replying my pown post.
>>
>>I figured out i need to upgrade my ruledujour it was a little old. I
>>hadd the following rulesets and now, immedietly after doing so sa --lint
>>test take 40sec+ I am using a dual 3ghz/2GB ram machine.
>>
>>TRUSTED_RULESETS="TRIPWIRE SARE_EVILNUMBERS0 SARE_EVILNUMBERS1
>>SARE_EVILNUMBERS2 BLACKLIST BLACKLIST_URI SARE_BML SARE_OEM SARE_HEADER
>>SARE_HTML0 SARE_RANDOM SARE_REDIRECT_POST300 SARE_FRAUD BOGUSVIRUS
>>SARE_BAYES_POISON_NXM SARE_ADULT SARE_SPOOF SARE_SPECIFIC SARE_UNSUB
>>SARE_URI0 SARE_URI1 SARE_OBFU0 SARE_GENLSUBJ0 SARE_WHITELIST
>>SARE_WHITELIST_RCVD SARE_WHITELIST_SPF ZMI_GERMAN"
>>
>>
>>The worst offenders in the mailwatch lint test results are
>>[22908] dbg: eval: all '*To' addrs:  5.02445
>>[22908] dbg: plugin:
>>Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x98a1f34) implements
>>'finish_parsing_end' 26.05115
>>
>>Any ideas on getting better performance, or is this part of using all
>>these rules? Which woiuld be the best ones to drop to improve perfromance?
>>
> 
> 
> It could be an effect of using all those rules, or it could be an effect of
> really slow DNS.
> 
> Some quick checks:
> 
> compare time spamassassin --lint to time spamassassin -L --lint
> 
> If these are substantially different on the first shot, your problem is likely
> network test related.
> 
> If repeated calls of the -L version are consistently slower than repeated calls
> of the non -L version, you have slow access to a DNS server and should consider
> a local caching DNS on the same box.
> 
> 
> If the two are the same, or close, but consistently high your problem lies in
> static rules. Try removing a few rulesets (note: you have to physically move
> them out of /etc/mail/spamassassin to disable them). I'd suggest looking at the
> size of the rulefiles and picking the largest ones as targets.
> 
> For what it's worth I use the following SARE style rulesets:
> -rw-r--r--    1 root     root        31854 Sep 16 14:40 70_sare_adult.cf
> -rw-r--r--    1 root     root        24246 Sep 16 14:40 70_sare_evilnum0.cf
> -rw-r--r--    1 root     root         1574 Sep 16 14:40 70_sare_evilnum1.cf
> -rw-r--r--    1 root     root        45972 Oct 25 18:20 70_sare_genlsubj0.cf
> -rw-r--r--    1 root     root        51886 Oct 12 21:30 70_sare_obfu0.cf
> -rw-r--r--    1 root     root        17821 Oct 25 18:16 70_sare_random.cf
> -rw-r--r--    1 root     root        70262 Oct 25 18:15 70_sare_specific.cf
> -rw-r--r--    1 root     root        17879 Oct 12 21:33 70_sare_uri0.cf
> -rw-r--r--    1 root     root         1466 Sep 16 14:40 71_sare_adult_rescore.cf
> -rw-r--r--    1 root     root        57580 Sep 16 14:40 99_FVGT_Tripwire.cf
> -rw-r--r--    1 root     root        10231 Sep 16 14:40 99_sare_fraud_post25x.cf
> 
> 
> along with about 15 local rule files, most of which are about 1k, but one is 10k.
> 
> My --lint times are about 8.5 sec.
> 
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> 
> Support MailScanner development - buy the book off the website!
> 
> 
> 

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list