Anti-Phishing Update -- New data feed

Julian Field MailScanner at
Thu Jun 18 09:16:35 IST 2009

On 17/06/2009 22:38, Ken A wrote:
> Steve Freegard wrote:
>> Mark Sapiro wrote:
>>> On Tue, Jun 16, 2009 at 10:32:45AM +0100, Julian Field wrote:
>>>> On 16/06/2009 08:42, Julian Field wrote:
>>>>> So I want to do
>>>>> header PHISH_1H ALL =~ /huge|regexp|here/i
>>>>> uri PHISH_1B /mailto:(huge|regexp|here)/i
>>>>> And then do the meta rule to join them altogether.
>>>>> Does that sound better to you?
>>>> I have published an improved much faster version 2.01 which is 
>>>> available from
>>>> You might well want to upgrade...
>>>> Jules
>>> I have installed the updated script v2.01, which I just downloaded,
>>> but I see it only makes the 'header' and 'uri' rules for the google
>>> feed. The residue from the google feed and the new addresses are
>>> still 'full' rules.
>>> Was this intentional or an oversight?
>> I just got around to trying this - currently this ruleset carries a
>> heavy penalty:
>> Without phishing rules
>> real    0m1.722s
>> user    0m1.646s
>> sys    0m0.065s
>> With phishing rules
>> real    0m4.283s
>> user    0m1.703s
>> sys    0m0.080s
>> And this is with a very small dummy message.
>> In addition to removing the 'full' rules; change (match|match|match) to
>> (?:match|match|match) which is non-capturing and should save a
>> considerable amount of memory in SA and should reduce these times.
>> Unless you have under-capacity this ruleset isn't suitable in it's
>> present guise it will reduce capacity of an average installation by
>> about 50%.
>> Cheers,
>> Steve.
> The ?: change helped significantly here. It was not usable, but now is.
> MailScanner was causing swapping ;-)
> Not sure what to do with the full rules though..
That's good news. Try downloading the script again, I have got rid of 
all the "full" rules and added the ?: bit too.


Julian Field MEng CITP CEng
Buy the MailScanner book at

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at and

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list