James Lay wrote: > Hello all! > > Soo.....yesterday I decided to get gutsy and use just about all the > rules from SARE. Here's my rulesdujour config: > > TRUSTED_RULESETS="ANTIDRUG
If you have SA 3.0.0 or higher, remove antidrug. These rules are included in SA, and this ruleset is only for users of SA 2.6x and older. I am the author of antidrug, so I speak with a solid understanding of the ruleset. At some point I will create antidrug-pre30.cf, antidrug-30.cf and antidrug-31.cf. After I've had that config for at least 6 months, I will replace antidrug.cf with a file that generates a warning for anyone attempting to load it. BLACKLIST BLACKLIST_URI Ditch blacklist and blacklist_uri. Those rulesets are MAJOR memory hogs. (In general, look at the file size of your .cf files. Anything over 128k is possibly a memory hog, and anything over 256k is quite likely a memory hog. blacklist and blacklist_uri are both over 512k. blacklist is nearly 2mb. BOGUSVIRUS RANDOMVAL > SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML SARE_EVILNUMBERS0 > SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 SARE_FRAUD SARE_GENLSUBJ > SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2 SARE_GENLSUBJ3 > SARE_GENLSUBJ_ENG SARE_GENLSUBJ_X30 SARE_HEADER SARE_HEADER0 > SARE_HEADER1 SARE_HEADER2 SARE_HEADER3 SARE_HEADER_ENG SARE_HEADER_X30 > SARE_HIGHRISK SARE_HTML SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3 > SARE_HTML4 SARE_HTML_ENG SARE_OBFU SARE_OBFU0 SARE_OBFU1 SARE_OBFU2 > SARE_OBFU3 SARE_OEM SARE_RANDOM SARE_RATWARE SARE_REDIRECT > SARE_REDIRECT_POST300 SARE_SPAMCOP_TOP200 SARE_SPECIFIC SARE_SPOOF > SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI2 SARE_URI3 SARE_URI_ENG > SARE_WHITELIST TRIPWIRE" > > Now here's the output of ps aux: > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND > root 3338 31.6 26.8 287636 277940 ? Ss 07:24 0:39 > /usr/bin/spamd -u filter -d -m 10 -r /home/filter/run/spamd.pid > --socketpath=/home/filter/run/spamd > filter 3365 19.1 27.1 290940 281204 ? S 07:25 0:14 spamd child > filter 3366 0.0 26.7 287636 276788 ? S 07:25 0:00 spamd child > > Is this normal? If you're using blacklist, yes.. > > James >
