Anti-Phishing Update -- New data feed
MailScanner at ecs.soton.ac.uk
Thu Jun 18 09:16:35 IST 2009
On 17/06/2009 22:38, Ken A wrote:
> Steve Freegard wrote:
>> Mark Sapiro wrote:
>>> On Tue, Jun 16, 2009 at 10:32:45AM +0100, Julian Field wrote:
>>>> On 16/06/2009 08:42, Julian Field wrote:
>>>>> So I want to do
>>>>> header PHISH_1H ALL =~ /huge|regexp|here/i
>>>>> uri PHISH_1B /mailto:(huge|regexp|here)/i
>>>>> And then do the meta rule to join them altogether.
>>>>> Does that sound better to you?
>>>> I have published an improved much faster version 2.01 which is
>>>> available from
>>>> You might well want to upgrade...
>>> I have installed the updated script v2.01, which I just downloaded,
>>> but I see it only makes the 'header' and 'uri' rules for the google
>>> feed. The residue from the google feed and the new addresses are
>>> still 'full' rules.
>>> Was this intentional or an oversight?
>> I just got around to trying this - currently this ruleset carries a
>> heavy penalty:
>> Without phishing rules
>> real 0m1.722s
>> user 0m1.646s
>> sys 0m0.065s
>> With phishing rules
>> real 0m4.283s
>> user 0m1.703s
>> sys 0m0.080s
>> And this is with a very small dummy message.
>> In addition to removing the 'full' rules; change (match|match|match) to
>> (?:match|match|match) which is non-capturing and should save a
>> considerable amount of memory in SA and should reduce these times.
>> Unless you have under-capacity this ruleset isn't suitable in it's
>> present guise it will reduce capacity of an average installation by
>> about 50%.
> The ?: change helped significantly here. It was not usable, but now is.
> MailScanner was causing swapping ;-)
> Not sure what to do with the full rules though..
That's good news. Try downloading the script again, I have got rid of
all the "full" rules and added the ?: bit too.
Julian Field MEng CITP CEng
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Need help fixing or optimising your systems?
Need help getting you started solving new requirements from your boss?
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner