Anti-Phishing Update -- New data feed

Ken A ka at pacific.net
Wed Jun 17 22:38:02 IST 2009


Steve Freegard wrote:
> Mark Sapiro wrote:
>> On Tue, Jun 16, 2009 at 10:32:45AM +0100, Julian Field wrote:
>>> On 16/06/2009 08:42, Julian Field wrote:
>>>> So I want to do
>>>> header PHISH_1H ALL =~ /huge|regexp|here/i
>>>> uri PHISH_1B /mailto:(huge|regexp|here)/i
>>>> And then do the meta rule to join them altogether.
>>>>
>>>> Does that sound better to you?
>>> I have published an improved much faster version 2.01 which is available 
>>> from
>>>
>>>     http://www.jules.fm/Logbook/files/anti-phishing-v2.html
>>>
>>> You might well want to upgrade...
>>>
>>> Jules
>>
>> I have installed the updated script v2.01, which I just downloaded,
>> but I see it only makes the 'header' and 'uri' rules for the google
>> feed. The residue from the google feed and the new addresses are
>> still 'full' rules.
>>
>> Was this intentional or an oversight?
>>
> 
> I just got around to trying this - currently this ruleset carries a
> heavy penalty:
> 
> Without phishing rules
> real	0m1.722s
> user	0m1.646s
> sys	0m0.065s
> 
> With phishing rules
> real	0m4.283s
> user	0m1.703s
> sys	0m0.080s
> 
> And this is with a very small dummy message.
> 
> In addition to removing the 'full' rules; change (match|match|match) to
> (?:match|match|match) which is non-capturing and should save a
> considerable amount of memory in SA and should reduce these times.
> 
> Unless you have under-capacity this ruleset isn't suitable in it's
> present guise it will reduce capacity of an average installation by
> about 50%.
> 
> Cheers,
> Steve.

The ?: change helped significantly here. It was not usable, but now is.
MailScanner was causing swapping ;-)
Not sure what to do with the full rules though..
Thanks,
Ken

-- 
Ken Anderson
Pacific Internet - http://www.pacific.net


More information about the MailScanner mailing list