Hello. After trying to run sa-learn on some false positives I had, I discovered (by the method of googling, so the topic certainly has been discussed before) that sa-learn by default ignores any message larger then 250k. Now this limit is easy enough to disable but my question is, why is this default limit there? Won't is skew learning (i.e not all messages will be fed to the filter)? Or will disabling it somehow skew it? Or are there any other implications I should consider?
/David
