I've been researching what rules get hit on my system. To do that I've writen a small script to pull together a list of all the rules that SA is using on my system and another to parse my log files to see what rules were triggered, how often and how long it took to scan the messages.
I used a full month worth of data. I have 2,827 (give or take a few for script logic errors) rules that SA checks on each message. For December I had 256,542 messages that made it through blacklists and then were evaluated by SA. A total of 1,087 rules were tripped in all of those messages. Looking at the list of tripped rules (and how many times it was tripped) and how long it took to process all of those messages (a total of 569.732 hours) I wondered if I could improve performance by cutting out rules that were not tripped or only tripped a very small number of times. What I need guidance on, is this... I see multiple rules with descriptions writen in other languages to catch the same thing as the english one. Are these treated by SA as seperate rules, testing the message against each language? Before I go setting up scores of zero's for rules I think don't need to be run, am I correct in thinking that setting the score to zero will keep SA from running the rule? I seem to recall seeing emails on the list that indicate that but others that say the rule is still run... Any advice on this would be welcome. Thanks. ================================= Kevin W. Gagel Network Administrator Information Technology Services (250) 562-2131 local 5448 My Blog: http://mail.cnc.bc.ca/blogs/gagel My File share: http://mail.cnc.bc.ca/users/gagel ------------------------------------------------------------------- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://gateway.cnc.bc.ca -------------------------------------------------------------------
