Re: Malware Patrol SA Rules

Sun, 11 Jan 2015 11:58:16 -0800 


Am 11.01.2015 um 16:20 schrieb Marcin Mirosław:

W dniu 2015-01-11 o 04:49, Reindl Harald pisze:


Am 10.01.2015 um 22:07 schrieb Marcin Mirosław:

W dniu 2015-01-10 o 15:27, Reindl Harald pisze:


Am 10.01.2015 um 15:19 schrieb David Flanigan:

Is anyone using the Malware Patrol 3rd party Spamassassin Rules
(https://www.malwarepatrol.net/index.shtml)?

I have downloaded and looked them over and, in concept, they look
pretty
good.

However the cf file is over 8.5megs (yes megs) in size. By far the
biggest ruleset I have. I cannot think this would do good things for
performance.

Any experience, comments, etc?


8.5 MB SA rules is crazy

that really belongs to clamav directly after SA because SA eats more
http://sanesecurity.com/usage/signatures/


Imho clamav needs less CPU power than SA (and need less time to scane
email) so I think it's better to use clamav before SA


that is true *but* after a few months it turned out that ClamAV don't
catch that much mail which was killed by the SA milter after it and so
90% of all messages need to pass both - for the overall system so it
makes more sense to have SA in front


I forgot about one, important thing, I'm using unofficial rules for
Clamav



me too - but that did not change the numbers that sa-milter rejected a 
lot of more mails then clamav-milter before it over a longer time



may also depend on the quality and scoring of bayes, we have 7500 ham 
and 7500 spam samples - handselected - and so a very high scoring while 
sa-milter rejects starting with 8.0 points, that's all backed by 11 
different scored DNSWL, the scoring below is only healthy if you trust 
your bayes uncoditional!


ifplugin Mail::SpamAssassin::Plugin::Bayes
 score BAYES_00 -3.5
 score BAYES_05 -1.5
 score BAYES_20 -0.5
 score BAYES_40 -0.2
 score BAYES_50 2.5
 score BAYES_60 3.0
 score BAYES_80 5.0
 score BAYES_95 6.5
 score BAYES_99 7.5
 score BAYES_999 0.4
endif


in summary the currently 24 DNSBL with different weights, backed by the 
11 DNSWL, subject filters with different severity reach a 99.5% hitrate



your number may vary, the milters / contetscanner are facing only 5% of 
all delivery attempts becaue the rest is eaten by RBL scoring


[root@mail-gw:~]$ ls /var/lib/clamav/
total 179M
-rw-r--r-- 1 clamupdate clamupdate 8.0K 2014-09-02 12:18 foxhole_all.cdb

-rw-r--r-- 1 clamupdate clamupdate 1.9K 2014-09-19 12:34 
foxhole_filename.cdb

-rw-r--r-- 1 clamupdate clamupdate  39K 2014-09-02 12:18 foxhole_generic.cdb
-rw-r--r-- 1 clamupdate clamupdate 357K 2015-01-05 20:55 bytecode.cld
-rw-r--r-- 1 clamupdate clamupdate  80M 2015-01-11 19:25 daily.cld
-rw-r--r-- 1 clamupdate clamupdate  62M 2014-11-30 22:28 main.cvd
-rw-r--r-- 1 clamupdate clamupdate  104 2015-01-11 20:25 mirrors.dat
-rw-r--r-- 1 clamupdate clamupdate 9.8K 2014-09-03 14:31 sanesecurity.ftm

-rw-r--r-- 1 clamupdate clamupdate  77K 2015-01-11 19:48 
bofhland_malware_attach.hdb

-rw-r--r-- 1 clamupdate clamupdate 361K 2015-01-11 00:48 crdfam.clamav.hdb
-rw-r--r-- 1 clamupdate clamupdate  19K 2015-01-11 17:52 rogue.hdb
-rw-r--r-- 1 clamupdate clamupdate 1.6K 2014-11-21 15:51 spamattach.hdb
-rw-r--r-- 1 clamupdate clamupdate 1.2K 2014-10-28 17:51 spamimg.hdb

-rw-r--r-- 1 clamupdate clamupdate  74K 2015-01-11 19:45 
winnow.attachments.hdb

-rw-r--r-- 1 clamupdate clamupdate 254K 2015-01-11 19:45 winnow_bad_cw.hdb

-rw-r--r-- 1 clamupdate clamupdate 266K 2015-01-11 19:45 
winnow_extended_malware.hdb

-rw-r--r-- 1 clamupdate clamupdate 213K 2015-01-11 19:45 winnow_malware.hdb
-rw-r--r-- 1 clamupdate clamupdate 9.3K 2014-11-27 09:44 malwarehash.hsb
-rw-r--r-- 1 clamupdate clamupdate 5.7K 2015-01-09 09:01 sigwhitelist.ign2
-rw-r--r-- 1 clamupdate clamupdate  21K 2015-01-06 11:53 spam.ldb
-rw-r--r-- 1 clamupdate clamupdate  93K 2015-01-11 19:52 blurl.ndb

-rw-r--r-- 1 clamupdate clamupdate 2.2M 2015-01-11 19:48 
bofhland_cracked_URL.ndb
-rw-r--r-- 1 clamupdate clamupdate 4.7K 2015-01-11 19:48 
bofhland_malware_URL.ndb
-rw-r--r-- 1 clamupdate clamupdate 5.4K 2015-01-11 19:48 
bofhland_phishing_URL.ndb

-rw-r--r-- 1 clamupdate clamupdate 5.9M 2015-01-03 16:04 junk.ndb
-rw-r--r-- 1 clamupdate clamupdate 573K 2015-01-11 19:52 jurlbl.ndb
-rw-r--r-- 1 clamupdate clamupdate 229K 2015-01-11 19:52 jurlbla.ndb
-rw-r--r-- 1 clamupdate clamupdate 239K 2014-10-01 11:49 lott.ndb
-rw-r--r-- 1 clamupdate clamupdate 3.6M 2015-01-09 19:14 phish.ndb
-rw-r--r-- 1 clamupdate clamupdate 3.3M 2015-01-11 19:45 phishtank.ndb
-rw-r--r-- 1 clamupdate clamupdate 1.8M 2015-01-06 16:51 scam.ndb
-rw-r--r-- 1 clamupdate clamupdate  14M 2015-01-11 19:45 scamnailer.ndb
-rw-r--r-- 1 clamupdate clamupdate 2.0M 2015-01-09 19:12 spear.ndb
-rw-r--r-- 1 clamupdate clamupdate  64K 2015-01-11 19:52 spearl.ndb

-rw-r--r-- 1 clamupdate clamupdate 937K 2015-01-11 19:45 
winnow_malware_links.ndb
-rw-r--r-- 1 clamupdate clamupdate 1.1M 2015-01-11 19:45 
winnow_phish_complete_url.ndb
-rw-r--r-- 1 clamupdate clamupdate 277K 2015-01-11 19:45 
winnow_spam_complete.ndb





Attachment:
signature.asc

Description: OpenPGP digital signature






















					Reply via email to