Anti-Phishing Update -- New data feed
MailScanner at ecs.soton.ac.uk
Thu Jun 18 09:14:27 IST 2009
On 17/06/2009 17:01, Steve Freegard wrote:
> Mark Sapiro wrote:
>> On Tue, Jun 16, 2009 at 10:32:45AM +0100, Julian Field wrote:
>>> On 16/06/2009 08:42, Julian Field wrote:
>>>> So I want to do
>>>> header PHISH_1H ALL =~ /huge|regexp|here/i
>>>> uri PHISH_1B /mailto:(huge|regexp|here)/i
>>>> And then do the meta rule to join them altogether.
>>>> Does that sound better to you?
>>> I have published an improved much faster version 2.01 which is available
>>> You might well want to upgrade...
>> I have installed the updated script v2.01, which I just downloaded,
>> but I see it only makes the 'header' and 'uri' rules for the google
>> feed. The residue from the google feed and the new addresses are
>> still 'full' rules.
>> Was this intentional or an oversight?
> I just got around to trying this - currently this ruleset carries a
> heavy penalty:
> Without phishing rules
> real 0m1.722s
> user 0m1.646s
> sys 0m0.065s
> With phishing rules
> real 0m4.283s
> user 0m1.703s
> sys 0m0.080s
> And this is with a very small dummy message.
> In addition to removing the 'full' rules; change (match|match|match) to
> (?:match|match|match) which is non-capturing and should save a
> considerable amount of memory in SA and should reduce these times.
I have made both those changes.
> Unless you have under-capacity this ruleset isn't suitable in it's
> present guise it will reduce capacity of an average installation by
> about 50%.
Julian Field MEng CITP CEng
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Need help fixing or optimising your systems?
Need help getting you started solving new requirements from your boss?
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner