Anti-Phishing Update -- New data feed
steve.freegard at fsl.com
Wed Jun 17 17:01:12 IST 2009
Mark Sapiro wrote:
> On Tue, Jun 16, 2009 at 10:32:45AM +0100, Julian Field wrote:
>> On 16/06/2009 08:42, Julian Field wrote:
>>> So I want to do
>>> header PHISH_1H ALL =~ /huge|regexp|here/i
>>> uri PHISH_1B /mailto:(huge|regexp|here)/i
>>> And then do the meta rule to join them altogether.
>>> Does that sound better to you?
>> I have published an improved much faster version 2.01 which is available
>> You might well want to upgrade...
> I have installed the updated script v2.01, which I just downloaded,
> but I see it only makes the 'header' and 'uri' rules for the google
> feed. The residue from the google feed and the new addresses are
> still 'full' rules.
> Was this intentional or an oversight?
I just got around to trying this - currently this ruleset carries a
Without phishing rules
With phishing rules
And this is with a very small dummy message.
In addition to removing the 'full' rules; change (match|match|match) to
(?:match|match|match) which is non-capturing and should save a
considerable amount of memory in SA and should reduce these times.
Unless you have under-capacity this ruleset isn't suitable in it's
present guise it will reduce capacity of an average installation by
More information about the MailScanner