Anti-Phishing Update -- New data feed
Steve Freegard
steve.freegard at fsl.com
Wed Jun 17 17:01:12 IST 2009
Mark Sapiro wrote:
> On Tue, Jun 16, 2009 at 10:32:45AM +0100, Julian Field wrote:
>>
>> On 16/06/2009 08:42, Julian Field wrote:
>>> So I want to do
>>> header PHISH_1H ALL =~ /huge|regexp|here/i
>>> uri PHISH_1B /mailto:(huge|regexp|here)/i
>>> And then do the meta rule to join them altogether.
>>>
>>> Does that sound better to you?
>> I have published an improved much faster version 2.01 which is available
>> from
>>
>> http://www.jules.fm/Logbook/files/anti-phishing-v2.html
>>
>> You might well want to upgrade...
>>
>> Jules
>
>
> I have installed the updated script v2.01, which I just downloaded,
> but I see it only makes the 'header' and 'uri' rules for the google
> feed. The residue from the google feed and the new addresses are
> still 'full' rules.
>
> Was this intentional or an oversight?
>
I just got around to trying this - currently this ruleset carries a
heavy penalty:
Without phishing rules
real 0m1.722s
user 0m1.646s
sys 0m0.065s
With phishing rules
real 0m4.283s
user 0m1.703s
sys 0m0.080s
And this is with a very small dummy message.
In addition to removing the 'full' rules; change (match|match|match) to
(?:match|match|match) which is non-capturing and should save a
considerable amount of memory in SA and should reduce these times.
Unless you have under-capacity this ruleset isn't suitable in it's
present guise it will reduce capacity of an average installation by
about 50%.
Cheers,
Steve.
More information about the MailScanner
mailing list