shortcircuit

[Brent Clark <br...@gmail.com>]

Hiya

I would like to know, what are the implications of using / enabling 
shortcircuit.

Other than speeding up the scan processing, from my side, I cant see a 
downgrade in spam detection.

Kind Regards
Brent Clark

Re: shortcircuit

[Henrik K <he...@hege.li>]

On Fri, Oct 24, 2008 at 11:35:20AM +0200, Matus UHLAR - fantomas wrote:
> 
> it ALL depends on
> - how much of trusted hosts you have and how much %spam are they relaying
> - how much is your CPU/memory/network loaded with spam scanning
> 
> You provided reasons why to do shortcircuit, I provided reasons why not
> to...

You provided a single reason ("you might get spam"), which was not very
insightful.

If some ALL_TRUSTED is sending lot of %spam, then your setup is faulty.
Remove such bad hosts. It's not a reason not to use SC.

By whitelisting (with SC), I want to make SURE I don't get any FPs from
there. The possibility of FNs is much less serious.

Of course you could skip SA completely, but it would require coding
equivalent of all_trusted, whitelist_from_spf/dkim to somewhere else.

Re: shortcircuit

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

> > On 23.10.08 20:05, Henrik K wrote:
> > > I shortcircuit:
> > > 
> > >  USER_IN_SPF_WHITELIST
> > >  USER_IN_DKIM_WHITELIST
> > >  USER_IN_WHITELIST
> > > 
> > >  Why bother scanning?

iof course, but why bother scanning at all?

> On Fri, Oct 24, 2008 at 10:18:29AM +0200, Matus UHLAR - fantomas wrote:
> > because his computer may be infectedby some spam sending malware?

On 24.10.08 11:51, Henrik K wrote:
> And this 1/1000 chance makes one bother wasting time on SA? Not me.

> > trusted hosts may relay spam...

> Good luck to your paranoid world, I rather live in the real one. :)
> 
> Somehow some people think that having few FNs is the end of the world. It
> doesn't make sense to multiply your resource usage to increase hit ratio
> by 1%.

it ALL depends on
- how much of trusted hosts you have and how much %spam are they relaying
- how much is your CPU/memory/network loaded with spam scanning

You provided reasons why to do shortcircuit, I provided reasons why not
to...

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.

Re: shortcircuit

[Henrik K <he...@hege.li>]

On Fri, Oct 24, 2008 at 10:18:29AM +0200, Matus UHLAR - fantomas wrote:
> 
> On 23.10.08 20:05, Henrik K wrote:
> > Lets get some facts straight.
> > 
> > If you are not certain what you are shortcicuiting, don't do it. But you
> > don't need to have performance issues to do it! I like to save resources for
> > a bad day (spam flood?).
> > 
> > I shortcircuit:
> > 
> >  USER_IN_SPF_WHITELIST
> >  USER_IN_DKIM_WHITELIST
> >  USER_IN_WHITELIST
> > 
> >  Why bother scanning?
> 
> because his computer may be infectedby some spam sending malware?

And this 1/1000 chance makes one bother wasting time on SA? Not me.

Remember that there is also ClamAV/Sanesecurity et al.

> > Also:
> > 
> >  ALL_TRUSTED
> 
> trusted hosts may relay spam...

Good luck to your paranoid world, I rather live in the real one. :)

Somehow some people think that having few FNs is the end of the world. It
doesn't make sense to multiply your resource usage to increase hit ratio
by 1%.

Re: shortcircuit

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

> > Brent Clark a écrit :
> > > I would like to know, what are the implications of using / enabling
> > > shortcircuit.
> > > 
> > > Other than speeding up the scan processing, from my side, I cant see a
> > > downgrade in spam detection.

On 23.10.08 20:05, Henrik K wrote:
> Lets get some facts straight.
> 
> If you are not certain what you are shortcicuiting, don't do it. But you
> don't need to have performance issues to do it! I like to save resources for
> a bad day (spam flood?).
> 
> I shortcircuit:
> 
>  USER_IN_SPF_WHITELIST
>  USER_IN_DKIM_WHITELIST
>  USER_IN_WHITELIST
> 
>  Why bother scanning?

because his computer may be infectedby some spam sending malware?

> Also:
> 
>  ALL_TRUSTED

trusted hosts may relay spam...

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.

Re: shortcircuit

[Henrik K <he...@hege.li>]

On Thu, Oct 23, 2008 at 03:15:33PM +0200, mouss wrote:
> Brent Clark a écrit :
> > Hiya
> > 
> > I would like to know, what are the implications of using / enabling
> > shortcircuit.
> > 
> > Other than speeding up the scan processing, from my side, I cant see a
> > downgrade in spam detection.
> > 
> 
> if you don't have performance issues, don't shortcircuit. The more you
> check, the better.

Lets get some facts straight.

If you are not certain what you are shortcicuiting, don't do it. But you
don't need to have performance issues to do it! I like to save resources for
a bad day (spam flood?).

I shortcircuit:

 USER_IN_SPF_WHITELIST
 USER_IN_DKIM_WHITELIST
 USER_IN_WHITELIST

 Why bother scanning?

Also:

 ALL_TRUSTED

 I have extensive list of trusted_networks for whitelisting purposes. How
 can you whitelist people if they send through a large ISP smarthost etc and
 they are not using DKIM? Not with whitelist_from_rcvd/spf. Well ok, you
 can, but there is a small chance of spoofing. But why risk anyway, since
 this does the job efficiently. Hits 13% of all traffic.

My magic rule:

 (BAYES_00 && RELAY_FI && !ANY_BOUNCE_MESSAGE)

 Bayes works extraordinary well, since most my ham is in Finnish, and spam
 in English.. together with relay from Finland (very small source of spam)
 it skips almost 40% of my traffic! (BAYES_00 alone is about 50%)

There is no point checking known good traffic. If you can identify such
rules, good for you. I really don't care if there are very few non-serious
FNs. ClamAV/Sanesecurity will catch most anyway.

Re: shortcircuit

[mouss <mo...@netoyen.net>]

Brent Clark a écrit :
> Hiya
> 
> I would like to know, what are the implications of using / enabling
> shortcircuit.
> 
> Other than speeding up the scan processing, from my side, I cant see a
> downgrade in spam detection.
> 

if you don't have performance issues, don't shortcircuit. The more you
check, the better.

Re: shortcircuit

[Kai Schaetzl <ma...@conactive.com>]

Brent Clark wrote on Thu, 23 Oct 2008 10:43:32 +0200:

> I cant see a 
> downgrade in spam detection.

you *may* see an "upgrade" in FPs.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: shortcircuit

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

On 23.10.08 10:43, Brent Clark wrote:
> I would like to know, what are the implications of using / enabling 
> shortcircuit.
> 
> Other than speeding up the scan processing, from my side, I cant see a 
> downgrade in spam detection.

important rules may not be applied thus you can have FPs and FNs if you
shortcircuit on wrong rules..

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease