Bowie Bailey wrote:
DAve wrote:
Bowie Bailey wrote:
DAve wrote:
Ed Russell wrote:
2. Once this is in place should I re-activate pzyor, dcc or
razor? Is one better than the other? Are there advantages to
either?
I use neither, though I think I am in the minority. I routinely
check my spam and I have found that bayes, rayzor, dcc, and most
of the SARE rules catch little if any spam "for me". So I don't
run them and save the CPU for additional spamd processes.
That's odd. Bayes, Razor2, DCC work quite well for me. Check out
my stats from today:
Razor2 caught 83% of the spam, DCC caught 68%, and Bayes got 64%.
They tagged plenty of spam for me, no doubt about that. But they
caught only a few spam that SA wouldn't have caught without them. It
is rare that bayes points on top of existing points ever made the
score squeek over the threshold.
Not using them however, dropped my CPU, network, and memory
requirements so much I could run twice as many spamd processes.
Processing time went from an average of 10 seconds (with all SARE
rules, bayes, DCC, Razor) to 2 seconds (limited SARE, no bayes, no
razor, no dcc).
All the SARE rules loaded makes spamd run about 45-75mb each,
selective SARE rules and I can see spamd drop to 23-35mb. More spamd,
faster spamd.
I guess this is a definite case of 'YMMV'. With Bayes, Razor2, DCC, and
15 SARE rulesets, my average scantime is 2.5 seconds, but each process
is 46M and I usually only have 2 or 3 running of a max of 8 (although
with 1G of ram, I've got plenty of headroom if I need to add more).
I have 26 configured spamds this week, I have enough ram to run 40,
though I hit the wall with the CPUs at that point. I generally have 15
to 25 running all the time, 24x7. Even late at night I can checkin with
the server and find only 2 or three spamd processes sleeping. Each is
consuming 30 to 35mb of ram, currently.
The bottom line is that if you have a low to medium mail volume and a
decent server, you can probably turn it all on and not worry too much
about it. If you have a high volume of mail, or a slower server, you
may need to be a bit more picky with your rulesets and features.
My advice is this: Try it with Bayes, Razor2, DCC, and Pyzor. Install
any of the SARE rulesets you think might be useful. Then monitor your
server and see what happens.
You can use the 'top' command to see how much memory is in use and how
much each spamd process is using. You should try to configure things
such that the server never uses swap. If SA goes into swap, your
performance will drop through the floor.
To see your average scantime (assuming that SA is logging to syslog),
you can use this command string (or drop it in a script file):
grep -e 'clean message' -e 'identified spam' /var/log/maillog | perl -ne 'if
(/in (\d+\.\d+) seconds/) { $time += $1; $cnt++;} } $avg = $time/$cnt; print
"$avg\n"; {'
Note that this command string should be all on one line. Your
mailreader will probably split it...
If everything is working well, you're good.
If you are using too much memory, remove some of the extra rules or
reduce the number of spamd children.
If your scantimes are too slow and the machine is not swapping, then you
should experiment with disabling Bayes, DCC, or Razor or removing rules.
Also, as others have pointed out, a local caching nameserver on your SA
machine can go a long way towards reducing lag from the network tests.
That is a good synopsis of what I went through in determining cost(in
resources) vs benefit with each SA option/plugin/ruleset. I'm sure most
admins have done the same, and it is excellent advice for Ed. I couldn't
have said better myself.
DAve