RE: upgrade to 3.1.1

Fri, 07 Apr 2006 08:31:39 -0700 

> I upgraded from 3.1.0 to 3.1.1 and my delays went from less than 20 to
> 900 to over 1000. Here is my rule sets used by rules du jour and my SA
> config (same as prior to upgrade). I don't see anything that
> needs to be
> changed, can someone suggest what I am doing wrong?
>
> [ "${TRUSTED_RULESETS}" ] || \
>         TRUSTED_RULESETS="TRIPWIRE SARE_EVILNUMBERS0
> BLACKLIST ANTIDRUG \
>         BLACKLIST_URI BOGUSVIRUS SARE_ADULT \
>         SARE_FRAUD SARE_BML SARE_HEADER0 \
>         SARE_HTML0 SARE_SPECIFIC SARE_SPOOF SARE_REDIRECT_POST300 \
>         SARE_GENLSUBJ SARE_UNSUB \
>         SARE_URI0 SARE_URI1 SARE_URI3 SARE_RANDOM
> SARE_BAYES_POISON_NXM \
>         SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 SARE_EVILNUMBERS2";
>
> SA config:
> rewrite_header Subject *****SPAM*****
> lock_method flock
> ok_languages en es fr it da de el ga gd ko nl no ru zh.big5
> report_safe 1
> trusted_networks 10/8 127/8 208.38.145.0/27 208.38.145.32/27
> 216.139.202.0/27
> use_bayes 1
> bayes_path /var/amavis/.spamassassin/bayes
> skip_rbl_checks 1
> dns_available yes
> score RAZOR2_CHECK 2.500
> score BAYES_99 4.300
> score BAYES_80 3.000
> <snip whitelists>
> uri GEOCITIES
> /^http:\/\/[a-z0-9-]{1,30}\.geocities\.com\b/i
> describe GEOCITIES        High amounts of spam from Geocities.
> score GEOCITIES  6.01
> uri GEOCITIES_YAHOO
> /^http:\/\/(?:www\.)?geocities\.yahoo\.com\.br\b/i
> describe GEOCITIES_YAHOO        High amounts of spam from Geocities.
> score GEOCITIES_YAHOO  6.01
> header __SOBER_P_MSGID Message-ID =~ /<[0-9a-f\.]{15,22}\@/
> header __SOBER_P_CTYPE Content-Type =~
> /text\/plain.*charset=\"us-ascii\"/
> header __SOBER_P_PRIO X-Priority =~ /^3 /
> header __SOBER_P_IMP Importance =~ /^Normal/
>
> meta SOBER_P_SPAM (__SOBER_P_MSGID && __SOBER_P_CTYPE &&
> __SOBER_P_PRIO && __SOBER_P_IMP )
> score SOBER_P_SPAM 18.0
> describe SOBER_P_SPAM Rassistische Mail Sober-P
>
> In addition to the config above, I also have the ruleset to
> catch german
> sober virus spam bounces, which has probably 20 different
> body, header,
> meta, score and describe entries.


Running a single message through SA with the -D option would probably
show you where the delay is.

Unless you've disabled the URIDNSBL plugin, I'd add RBL_TIMEOUT 5 to
your config as the RBL timout value is used for other DNS-type lookups,
not just RBL checks that you're skipping. 5 seconds may or may not be to
short for your environment-- something you'll have to evaluate on your
own.

Bret

Reply via email to