Re: Phishing.pm
[Pulling this conversation back on-list where I can misinform everyone publicly] On 22 Jan 2019, at 5:04, Ian Evans wrote: On Tue, Jan 22, 2019 at 2:15 AM Bill Cole < sausers-20150...@billmail.scconsult.com> wrote: [snip] Note that because the plugin is disabled by default, the default ruleset distributed via sa-update does not include a rule using the plugin and so you must define a rule as documented for the plugin to be used at all. One thing I'm not clear on: a) do we need to add this to local.cf: ifplugin Mail::SpamAssassin::Plugin::Phishing phishing_openphish_feed /etc/mail/spamassassin/openphish-feed.txt phishing_phishtank_feed /etc/mail/spamassassin/phishtank-feed.csv body URI_PHISHING eval:check_phishing() describe URI_PHISHING Url match phishing in feed endif Yes. You may want to only use one of the two feeds, put the feed file(s) in different places, or name the rule something other than URI_PHISHING, but you need to have a body eval rule calling check_phishing() and the path to at least one of the feeds specified. and b) is that sufficient to "define a rule as documented for the plugin to be used at all." Yes. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Available For Hire: https://linkedin.com/in/billcole
Re: Phishing.pm
On 21 Jan 2019, at 13:58, Rick Cooper wrote: Giovanni Bechis wrote: Il 13 gennaio 2019 21:52:19 CET, Giovanni Bechis ha scritto: Il 13 gennaio 2019 20:22:40 CET, Ian Evans ha scritto: Running 3.4.2, spamd daemon. Just enabled the new Phishing.pm plugin but wondering about the data feeds. Is that something we need to set up a cron to wget or does the plugin handle it? Unless my google fu is weak due to a lack of caffeine, I couldn't find any doc on setting it up. Thanks for any advice. try Mail::SpamAssassin::Plugin::Phishing Cheers Giovanni man Mail::SpamAssassin::Plugin::Phishing to be precise. Giovanni Something that isn't answered in the docs is the default score If you define a rule using the plugin, you must either give it a score or it will have the default score of any rule: 1.0. Note that because the plugin is disabled by default, the default ruleset distributed via sa-update does not include a rule using the plugin and so you must define a rule as documented for the plugin to be used at all. and I am wondering if SA has to be restarted after each update of the data or does it reread each time the plugin is called It seems to me that the data file is re-read for each scan, so no restart is needed. even if I'm mis-reading, it would be re-read for each new spamd child process (or mimedefang worker) so a restart would not be *needed* if you can tolerate a delay until children are respawned. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Available For Hire: https://linkedin.com/in/billcole
Re: Phishing.pm
On 22/01/2019 09:23, Kris Deugau wrote: > RW wrote: On Mon, 21 Jan 2019 14:37:38 -0500 > Kris Deugau wrote: > > Rick Cooper wrote: > and I am > wondering if SA has to be restarted after each update of the data > or does it reread each time the plugin is called > Looks like it loads the data into RAM on SA startup/(reload?). It's loaded from check_start() and stored in PerMsgStatus, so it's run per scan. *digs deeper in SA plugin docs* So it is. That's, um... possibly not great for performance. The datasets are smaller than I had thought, but repeatedly loading and parsing ~3K lines of URL plus whatever else is in the recommended source files is still going to impose a modest speed hit. -kgd Indeed it has a speed impact, not a very smart implementation of it. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument
Re: Phishing.pm
RW wrote: On Mon, 21 Jan 2019 14:37:38 -0500 Kris Deugau wrote: Rick Cooper wrote: and I am wondering if SA has to be restarted after each update of the data or does it reread each time the plugin is called Looks like it loads the data into RAM on SA startup/(reload?). It's loaded from check_start() and stored in PerMsgStatus, so it's run per scan. *digs deeper in SA plugin docs* So it is. That's, um... possibly not great for performance. The datasets are smaller than I had thought, but repeatedly loading and parsing ~3K lines of URL plus whatever else is in the recommended source files is still going to impose a modest speed hit. -kgd
Re: Phishing.pm
On Mon, 21 Jan 2019 14:37:38 -0500 Kris Deugau wrote: > Rick Cooper wrote: > > and I am > > wondering if SA has to be restarted after each update of the data > > or does it reread each time the plugin is called > > Looks like it loads the data into RAM on SA startup/(reload?). It's loaded from check_start() and stored in PerMsgStatus, so it's run per scan.
Re: Phishing.pm
Rick Cooper wrote: Giovanni Bechis wrote: man Mail::SpamAssassin::Plugin::Phishing to be precise. Giovanni Something that isn't answered in the docs is the default score There doesn't seem to be one set: root@tiny:/home/kdeugau# sa-update root@tiny:/home/kdeugau# grep -R URI_PHISHING /var/lib/spamassassin/3.004002/ root@tiny:/home/kdeugau# although the default score for any rule without one is 1, unless the rule name begins with T_, in which case the default is 0.01. and I am wondering if SA has to be restarted after each update of the data or does it reread each time the plugin is called Looks like it loads the data into RAM on SA startup/(reload?). Someone(TM) with some time on their hands could probably trivially convert it to use eg a tied hash on a local .cdb file derived from the source data, instead of keeping a static copy in RAM. Or squash it into a DNS lookup like a lot of other miscellaneous lookups. -kgd
RE: Phishing.pm
Giovanni Bechis wrote: > Il 13 gennaio 2019 21:52:19 CET, Giovanni Bechis > ha scritto: >> Il 13 gennaio 2019 20:22:40 CET, Ian Evans ha >> scritto: >>> Running 3.4.2, spamd daemon. >>> >>> Just enabled the new Phishing.pm plugin but wondering about the >>> data feeds. Is that something we need to set up a cron to wget or >>> does the plugin handle it? Unless my google fu is weak due to a >>> lack of caffeine, I couldn't find any doc on setting it up. >>> >>> Thanks for any advice. >> >> try Mail::SpamAssassin::Plugin::Phishing >> >> Cheers >> Giovanni > > man Mail::SpamAssassin::Plugin::Phishing > to be precise. >Giovanni Something that isn't answered in the docs is the default score and I am wondering if SA has to be restarted after each update of the data or does it reread each time the plugin is called Rick Cooper
Re: Phishing.pm
Il 13 gennaio 2019 21:52:19 CET, Giovanni Bechis ha scritto: >Il 13 gennaio 2019 20:22:40 CET, Ian Evans ha >scritto: >>Running 3.4.2, spamd daemon. >> >>Just enabled the new Phishing.pm plugin but wondering about the data >>feeds. >>Is that something we need to set up a cron to wget or does the plugin >>handle it? Unless my google fu is weak due to a lack of caffeine, I >>couldn't find any doc on setting it up. >> >>Thanks for any advice. > >try Mail::SpamAssassin::Plugin::Phishing > > Cheers > Giovanni man Mail::SpamAssassin::Plugin::Phishing to be precise. Giovanni
Re: Phishing.pm
Il 13 gennaio 2019 20:22:40 CET, Ian Evans ha scritto: >Running 3.4.2, spamd daemon. > >Just enabled the new Phishing.pm plugin but wondering about the data >feeds. >Is that something we need to set up a cron to wget or does the plugin >handle it? Unless my google fu is weak due to a lack of caffeine, I >couldn't find any doc on setting it up. > >Thanks for any advice. try Mail::SpamAssassin::Plugin::Phishing Cheers Giovanni
Re: Phishing.pm
On Sun, 13 Jan 2019 14:22:40 -0500 Ian Evans wrote: > Running 3.4.2, spamd daemon. > > Just enabled the new Phishing.pm plugin but wondering about the data > feeds. Is that something we need to set up a cron to wget or does the > plugin handle it? Unless my google fu is weak due to a lack of > caffeine, I couldn't find any doc on setting it up. Try running perldoc on Phishing.pm
