Hello Pham, Tu, Monday, May 10, 2004, 5:28:49 PM, Matt wrote:
MK> At 07:33 PM 5/10/2004, Pham, Tu wrote: >>Does SA performance decrease when the whitelisting list becomes quite large? MK> Yes, but how big the list needs to be before you have problems is highly MK> dependant on your network. MK> Basically *everything* you add to sa decreases it's performance somewhat. MK> In the case of whitelists, the speed of execution is pretty fast, but if MK> you have a *LOT* of them the memory usage alone can crush you. By a *LOT* I believe Matt means a ***LOT***. I have several hundred blacklist entries in my system, and they're not having any significant impact that I can see. My impression is that one for one, a regex rule has a larger impact than a whitelist or a blacklist. >>I'm currently running SA 2.63 on Red Hat 7.2. Tried to install Razor but >>had problems with it because of our firewall but I am considering trying >>it again. MK> If you're having false positive problems, work those out _before_ you add MK> razor. It's counterproductive to add optional features which increase email MK> scores when you're having major problems with false positives. Work on MK> things that *decrease* the score, not things that increase it. I agree completely. Find out what rules/scores are causing your false positives. If it's Bayes, then you need to fix the Bayes database. If it's custom rules, fix or remove them. If it's distribution rules, then consider (carefully) lowering their scores. I found maybe six distribution rules that I had to lower scores on here to avoid false positives. Most of those are directly related to where the ham comes from. Bob Menschel
