You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Shahzad Abid <sh...@ocs.com.pk> on 2008/02/29 07:28:28 UTC
Good rules for SA
Dear List
How to determine good rules for SA, I am using following rules.
============================
70_sare_adult.cf 70_sare_html2.cf
70_sare_uri.cf FuzzyOcr.old
70_sare_bayes_poison_nxm.cf 70_sare_html3.cf
70_sare_uri_eng.cf FuzzyOcr.pm
70_sare_evilnum0.cf 70_sare_html4.cf
70_sare_uri_x31.cf FuzzyOcr.preps
70_sare_evilnum0.cf.sig 70_sare_html.cf
70_sare_whitelist.cf FuzzyOcr.scansets
70_sare_evilnum1.cf 70_sare_html_eng.cf
70_sare_whitelist_pre30.cf FuzzyOcr.words
70_sare_evilnum2.cf 70_sare_html_x30.cf
70_sare_whitelist_rcvd.cf init.pre
70_sare_genlsubj0.cf 70_sare_obfu0.cf
70_sare_whitelist_spf.cf INSTALL
70_sare_genlsubj1.cf 70_sare_obfu1.cf
71_sare_redirect_pre3.0.0.cf local.cf
70_sare_genlsubj2.cf 70_sare_obfu2.cf
72_sare_redirect_post3.0.0.cf Logging.pm
70_sare_genlsubj3.cf 70_sare_obfu3.cf
88_FVGT_Bayes_Poison.cf mangled.cf
70_sare_genlsubj4.cf 70_sare_obfu4.cf
88_FVGT_body.cf RelayChecker.cf
70_sare_genlsubj.cf 70_sare_obfu.cf
88_FVGT_headers.cf RelayChecker.pm
70_sare_genlsubj_eng.cf 70_sare_obfu_x31.cf
88_FVGT_rawbody.cf RelayChecker.tar
70_sare_genlsubj_x30.cf 70_sare_oem.cf
88_FVGT_subject.cf RelayChecker.txt
70_sare_header0.cf 70_sare_random.cf
88_FVGT_Tripwire.cf RulesDuJour
70_sare_header2.cf 70_sare_ratware.cf
88_FVGT_uri.cf sa-update-keys
70_sare_header3.cf 70_sare_specific.cf
backhair.cf spamassassin-default.rc
70_sare_header4.cf 70_sare_specific_rolex.cf
Botnet-0.6.tar spamassassin-helper.sh
70_sare_header.cf 70_sare_spoof.cf
Botnet.cf spamassassin-spamc.rc
70_sare_header_eng.cf 70_sare_stocks.cf
Botnet.pm tripwire.cf
70_sare_header_x264_x30.cf 70_sare_unsub.cf
Botnet.txt v310.pre
70_sare_header_x30.cf 70_sare_uri0.cf
chickenpox.cf v312.pre
70_sare_header_x31.cf 70_sare_uri1.cf
COPYING v320.pre
70_sare_highrisk.cf 70_sare_uri2.cf
FuzzyOcr weeds_2.cf
70_sare_html0.cf 70_sare_uri3.cf
fuzzyocr-3.5.1-devel.tar.gz weeds.cf
70_sare_html1.cf 70_sare_uri4.cf FuzzyOcr.cf
=============================
Please identify which rules are bad?
--
Regards,
Shahzad Abid
Re: Good rules for SA
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2008-02-29 at 11:28 +0500, Shahzad Abid wrote:
> Dear List
>
> How to determine good rules for SA, I am using following rules.
[ gigantic output of ls snipped, including lots of cf files, plugins and
a bunch of unrelated non-rules ]
> Please identify which rules are bad?
Pretty much *all* of the third party rules you mentioned are bad, IMHO.
*Unless* you review their respective documentation, rather than throwing
almost anything at your SA you could find...
A few notes and things I spotted glimpsing at the list, why I believe
you missed this important part:
* backhair.cf: Deprecated since SA 3.0.0, which incorporates most of
it. See http://wiki.apache.org/spamassassin/CustomRulesets where you
got it from.
* 7*_sare_redirect: The note particularly mentions to NOT use both
rulesets. However, you got both, the pre and post 3.0.0 variant. See
http://www.rulesemporium.com/rules.htm
Also, you seem to be using RulesDuJour, which AFAIK has not been the
recommended way to update for quite a while. Instead, use sa-update with
SARE.
As a general note, spam is rather different for anyone. You'll have to
decide yourself which ones are good or bad in your particular case.
Monitor the rules, if they even apply to your spam and remove them after
some time of observation, if they aren't worth the additional overhead.
Using too many of them usually tends to have some bad impact.
Besides pulling in every cf file you can get your hands on, there are
quite a few optional, disabled by default rules and plugins shipped with
SA itself, which just need to be properly configured or don't apply to
all environments. Only you can decide to use them. Hint: "language"
specific stuff and features that depend on optional Perl modules. See
the documentation and spamassassin debug output.
If you don't want to or can't identify good and bad rulesets yourself,
you should stick with a vanilla setup. The developers and the QA process
already have done a general decision about "good" rules -- this is, what
the SA distribution includes by default.
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Good rules for SA
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
On 29/02/2008 2:07 AM, Shahzad Abid wrote:
> Dear Daryl
>
> What rule sets you are using?
The ones that come with SpamAssassin and the updates.spamassassin.org
update channel.
Daryl
Re: Good rules for SA
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
On 29/02/2008 1:28 AM, Shahzad Abid wrote:
> Dear List
>
> How to determine good rules for SA, I am using following rules.
Well, I think you just answered your question about why your
installation of SA is running slow. :)
You need to review the descriptions of the rulesets to see if they're
even intended for (or beneficial to) your version of SA.
See: http://www.rulesemporium.com/rules.htm
Daryl
> ============================
> 70_sare_adult.cf 70_sare_html2.cf
> 70_sare_uri.cf FuzzyOcr.old
> 70_sare_bayes_poison_nxm.cf 70_sare_html3.cf
> 70_sare_uri_eng.cf FuzzyOcr.pm
> 70_sare_evilnum0.cf 70_sare_html4.cf
> 70_sare_uri_x31.cf FuzzyOcr.preps
> 70_sare_evilnum0.cf.sig 70_sare_html.cf
> 70_sare_whitelist.cf FuzzyOcr.scansets
> 70_sare_evilnum1.cf 70_sare_html_eng.cf
> 70_sare_whitelist_pre30.cf FuzzyOcr.words
> 70_sare_evilnum2.cf 70_sare_html_x30.cf
> 70_sare_whitelist_rcvd.cf init.pre
> 70_sare_genlsubj0.cf 70_sare_obfu0.cf
> 70_sare_whitelist_spf.cf INSTALL
> 70_sare_genlsubj1.cf 70_sare_obfu1.cf
> 71_sare_redirect_pre3.0.0.cf local.cf
> 70_sare_genlsubj2.cf 70_sare_obfu2.cf
> 72_sare_redirect_post3.0.0.cf Logging.pm
> 70_sare_genlsubj3.cf 70_sare_obfu3.cf
> 88_FVGT_Bayes_Poison.cf mangled.cf
> 70_sare_genlsubj4.cf 70_sare_obfu4.cf
> 88_FVGT_body.cf RelayChecker.cf
> 70_sare_genlsubj.cf 70_sare_obfu.cf
> 88_FVGT_headers.cf RelayChecker.pm
> 70_sare_genlsubj_eng.cf 70_sare_obfu_x31.cf
> 88_FVGT_rawbody.cf RelayChecker.tar
> 70_sare_genlsubj_x30.cf 70_sare_oem.cf
> 88_FVGT_subject.cf RelayChecker.txt
> 70_sare_header0.cf 70_sare_random.cf
> 88_FVGT_Tripwire.cf RulesDuJour
> 70_sare_header2.cf 70_sare_ratware.cf
> 88_FVGT_uri.cf sa-update-keys
> 70_sare_header3.cf 70_sare_specific.cf
> backhair.cf spamassassin-default.rc
> 70_sare_header4.cf 70_sare_specific_rolex.cf
> Botnet-0.6.tar spamassassin-helper.sh
> 70_sare_header.cf 70_sare_spoof.cf
> Botnet.cf spamassassin-spamc.rc
> 70_sare_header_eng.cf 70_sare_stocks.cf
> Botnet.pm tripwire.cf
> 70_sare_header_x264_x30.cf 70_sare_unsub.cf
> Botnet.txt v310.pre
> 70_sare_header_x30.cf 70_sare_uri0.cf
> chickenpox.cf v312.pre
> 70_sare_header_x31.cf 70_sare_uri1.cf
> COPYING v320.pre
> 70_sare_highrisk.cf 70_sare_uri2.cf
> FuzzyOcr weeds_2.cf
> 70_sare_html0.cf 70_sare_uri3.cf
> fuzzyocr-3.5.1-devel.tar.gz weeds.cf
> 70_sare_html1.cf 70_sare_uri4.cf FuzzyOcr.cf
> =============================
>
> Please identify which rules are bad?
>
>