Re: Spamassassin auto-whitelist research

15 Oct 2004 19:40:17 -0000 

Thank you Mark for your checks. 

In fact he is right in the fact that the autowhitelist is kept in memory. 
However, it keeps only the e-mail addres and two numbers for each row so 
assuming for example an average of 50 bytes per e-mail address (quite long) 
and two numbers, even if you had 100.000 entries in your auto-whitelist (it 
means you received e-mails from 100.000 different e-mail addresses) it would 
take round about 6.000.000 bytes ~ 6 MB (probably a bit more). Therefore I 
would say the memory array is not that big :-). I can just say that It has 
been tested in an university with 170.000 entries and it worked fast and 
without problems.

Thank you very much Mark for your check. And thank you very much for some of 
you that already sent me some information.

Best regards,

        DOC

On Friday 15 October 2004 18:44, Matt Kettler wrote:
> At 11:19 AM 10/15/2004, Martin Hepworth wrote:
> >hmm great, perl malware :-)
> >
> >More seriously, anyone checked the code for nasties...
>
> Disclaimer: I'm no perl expert, so treat my analysis that of someone with
> limited experience.
>
> I inspected the code and saw nothing terribly suspicious in my limited
> understanding of perl.
>
> The only thing that's a bit troubling is it seems to parse the entire AWL
> database into a giant memory array named resulthash, and this could exhaust
> memory if your AWL DB is large. I'm not 100% sure that's what happens, but
> it seems it does it that way.
>
> For paranoia, copy your AWL DB to an unprived account and be sure to
> execute it as that non-root user in a shell that has reasonable rlimit's
> set.
>
> The code itself seems quite simple and straightforward.
>
> It first tries to open the database using one of several DB formats.
>
> It then parses the database into a memory array, resulthash.
>
> After that it dumps it out into two files.
> One plaintext where the email address is in plain text format, followed by
> the count and score:
>           [EMAIL PROTECTED] 5 15.0
> The other is a hex-print of the md5 hash of the address, followed by count
> and score:
>          6371166aee1e6da503f6c1e623447952 5 15.0
>
> For privacy, make sure you don't mix the two files up.

-- 
     Daniel Olmedilla
     Learning Lab Lower Saxony (L3S)
     Deutscher Pavillon
     Expo plaza 1
     D - 30539 Hannover

     Phone: +49 (0)511 762.9741 / +49 (0)511 7621.9714
     Fax:     +49 (0)511 762.9779 / +49 (0)511-7621.9712

     http://www.l3s.de/~olmedilla/
     E-Mail: [EMAIL PROTECTED]

Attachment: pgps3X124TMqp.pgp
Description: PGP signature

Reply via email to