Anti-Phishing Update -- New data feed

Steve Freegard steve.freegard at
Wed Jun 17 17:01:12 IST 2009

Mark Sapiro wrote:
> On Tue, Jun 16, 2009 at 10:32:45AM +0100, Julian Field wrote:
>> On 16/06/2009 08:42, Julian Field wrote:
>>> So I want to do
>>> header PHISH_1H ALL =~ /huge|regexp|here/i
>>> uri PHISH_1B /mailto:(huge|regexp|here)/i
>>> And then do the meta rule to join them altogether.
>>> Does that sound better to you?
>> I have published an improved much faster version 2.01 which is available 
>> from
>> You might well want to upgrade...
>> Jules
> I have installed the updated script v2.01, which I just downloaded,
> but I see it only makes the 'header' and 'uri' rules for the google
> feed. The residue from the google feed and the new addresses are
> still 'full' rules.
> Was this intentional or an oversight?

I just got around to trying this - currently this ruleset carries a
heavy penalty:

Without phishing rules
real	0m1.722s
user	0m1.646s
sys	0m0.065s

With phishing rules
real	0m4.283s
user	0m1.703s
sys	0m0.080s

And this is with a very small dummy message.

In addition to removing the 'full' rules; change (match|match|match) to
(?:match|match|match) which is non-capturing and should save a
considerable amount of memory in SA and should reduce these times.

Unless you have under-capacity this ruleset isn't suitable in it's
present guise it will reduce capacity of an average installation by
about 50%.


More information about the MailScanner mailing list