>-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] >Sent: Friday, July 08, 2005 12:34 PM >To: Matthew Newton >Cc: users@spamassassin.apache.org >Subject: Re: Regular expression whoops > > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >Matthew Newton writes: >> Hi, >> >> OK, so I've had a fun (yeah right) week dealing with three mail hubs >> that are normally quite happy, and suddenly on >Monday/Tuesday their load >> average goes up to 10+ for no apparent reason. Sometimes it >looks like >> it is ClamAV that's the problem, sometimes exim, and >sometimes SA. Argh! >> >> http://www.le.ac.uk/cc/mcn4/sa-re-whoops/ >> >> Finally, this morning, after a lot of log searching and >trying to trace >> SA children that have frozen and are eating CPU, I find a >single message >> that triggers the problem. It's just over 100k long, and 99% of it is >> line feeds. >> >> Turns out that my lax use of \s* in four rules really didn't >like this >> new type of message that's been arriving. Because it crashed SA, it >> never got logged in the exim logs, so incoming mail and spam detected >> looked "normal"! >> >> Everything was fine with these rules until this strange message >> triggered them. I guess that "*" _really_ isn't good to use >(as people >> have said before), and that if you do use them they will come back to >> get you later! > >Let me guess -- these were "full" rules, too? >yep, * really isn't a good thing to use. ;)
I know a few ninjas that can back that up! It helps to run test rules with '*' thru a corpus. Gives you an idea of what might be hitting. But you always take that out before releasing rules. --Chris
