Anti-Phishing Update -- New data feed

Julian Field MailScanner at
Mon Jun 15 21:25:05 IST 2009

On 15/06/2009 21:02, Steve Freegard wrote:
> Alex Broens wrote:
>>> I need to apply the rules to the entire message body and headers, as
>>> they frequently put the email address just in the body of the message
>>> inside some link or other. So how would creating separate header and
>>> body rules be any better?
>> I'm not savvy enough in Perl&  SA to give you the scientific reason, but
>> its been common practive to avoid full rules if possible.
>> You'd have to ask one of the core SA devs...  maybe Matt Kettler can
>> jump in and tell me I'm totally off and that my understanding is wrong.
> 'full' rules are simply inefficient as IIRC the regexps have to be run
> multiple times across each block of text (IIRC: SA splits into paragraph
> style chunks) to prevent excessive memory use.  They also evaluate all
> other MIME structures e.g. attachments, images etc. as per the docs.
I don't think they include binary attachments, I had to add that 
specifically for the MCP stuff with a patch to the SA code.
> If you are simply looking to get any e-mail addresses out of the message
> body; then a 'uri' rule is far more appropriate e.g.
> uri BLAH  /^mailto:email\@domain\.com$/
> (SA converts all e-mail URIs into mailto: types even those with no scheme).
But surely that wouldn't work when email addresses just appear in the 
text in text/plain bodies, would they?


Julian Field MEng CITP CEng
Buy the MailScanner book at
Follow me at

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key:

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list