Anti-Phishing Update -- New data feed
ka at pacific.net
Wed Jun 17 22:38:02 IST 2009
Steve Freegard wrote:
> Mark Sapiro wrote:
>> On Tue, Jun 16, 2009 at 10:32:45AM +0100, Julian Field wrote:
>>> On 16/06/2009 08:42, Julian Field wrote:
>>>> So I want to do
>>>> header PHISH_1H ALL =~ /huge|regexp|here/i
>>>> uri PHISH_1B /mailto:(huge|regexp|here)/i
>>>> And then do the meta rule to join them altogether.
>>>> Does that sound better to you?
>>> I have published an improved much faster version 2.01 which is available
>>> You might well want to upgrade...
>> I have installed the updated script v2.01, which I just downloaded,
>> but I see it only makes the 'header' and 'uri' rules for the google
>> feed. The residue from the google feed and the new addresses are
>> still 'full' rules.
>> Was this intentional or an oversight?
> I just got around to trying this - currently this ruleset carries a
> heavy penalty:
> Without phishing rules
> real 0m1.722s
> user 0m1.646s
> sys 0m0.065s
> With phishing rules
> real 0m4.283s
> user 0m1.703s
> sys 0m0.080s
> And this is with a very small dummy message.
> In addition to removing the 'full' rules; change (match|match|match) to
> (?:match|match|match) which is non-capturing and should save a
> considerable amount of memory in SA and should reduce these times.
> Unless you have under-capacity this ruleset isn't suitable in it's
> present guise it will reduce capacity of an average installation by
> about 50%.
The ?: change helped significantly here. It was not usable, but now is.
MailScanner was causing swapping ;-)
Not sure what to do with the full rules though..
Pacific Internet - http://www.pacific.net
More information about the MailScanner