Anti-Phishing Update -- New data feed

Julian Field MailScanner at ecs.soton.ac.uk
Thu Jun 18 09:14:27 IST 2009 


On 17/06/2009 17:01, Steve Freegard wrote:
> Mark Sapiro wrote:
>    
>> On Tue, Jun 16, 2009 at 10:32:45AM +0100, Julian Field wrote:
>>      
>>> On 16/06/2009 08:42, Julian Field wrote:
>>>        
>>>> So I want to do
>>>> header PHISH_1H ALL =~ /huge|regexp|here/i
>>>> uri PHISH_1B /mailto:(huge|regexp|here)/i
>>>> And then do the meta rule to join them altogether.
>>>>
>>>> Does that sound better to you?
>>>>          
>>> I have published an improved much faster version 2.01 which is available
>>> from
>>>
>>>      http://www.jules.fm/Logbook/files/anti-phishing-v2.html
>>>
>>> You might well want to upgrade...
>>>
>>> Jules
>>>        
>>
>> I have installed the updated script v2.01, which I just downloaded,
>> but I see it only makes the 'header' and 'uri' rules for the google
>> feed. The residue from the google feed and the new addresses are
>> still 'full' rules.
>>
>> Was this intentional or an oversight?
>>
>>      
> I just got around to trying this - currently this ruleset carries a
> heavy penalty:
>
> Without phishing rules
> real	0m1.722s
> user	0m1.646s
> sys	0m0.065s
>
> With phishing rules
> real	0m4.283s
> user	0m1.703s
> sys	0m0.080s
>
> And this is with a very small dummy message.
>
> In addition to removing the 'full' rules; change (match|match|match) to
> (?:match|match|match) which is non-capturing and should save a
> considerable amount of memory in SA and should reduce these times.
>    
I have made both those changes.
> Unless you have under-capacity this ruleset isn't suitable in it's
> present guise it will reduce capacity of an average installation by
> about 50%.
>
> Cheers,
> Steve.
>    

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list