Shortcircuit Rules

Hi,

I'm interested in experimenting with shortcircuiting, and wondered if
anyone had some examples they're using that they could share?

If I understand correctly, the tests involving simple parsing instead
of those involving network connections work best due to the inherent
overhead with network connections?

Thanks,
Alex

Alex wrote:
> Hi,
>
> I'm interested in experimenting with shortcircuiting, and wondered if
> anyone had some examples they're using that they could share?
>

My $0.02

I use a number of shortcircuits but they are not in SA they are
in sendmail.cf  They are subject line checks.  I started this
with the Viagra spam, looking at the common permutations of viagra
spelling, such as v!agra, etc.

Why not block it at the MTA before it even gets to SA - if you can?

Ted

Hi,

> I use a number of shortcircuits but they are not in SA they are
> in sendmail.cf  They are subject line checks.  I started this
> with the Viagra spam, looking at the common permutations of viagra
> spelling, such as v!agra, etc.
>
> Why not block it at the MTA before it even gets to SA - if you can?

To that end, and although it's not (specifically) SA-related, this is
a wonderfully helpful document for postfix UCE:

http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt

There's also a great collection of additional links at the bottom.

Regards,
Alex

Alex-325 wrote:

I'm interested in experimenting with shortcircuiting, and wondered if
anyone had some examples they're using that they could share?

We are using it to shortcircuit HAM and prevent blowing CPU cycles on newsletters that people expect to never contain spam. So, there is a 'shortcircuit.cf' that lives in /etc/mail/spamassassin and looks like this:

loadplugin     Mail::SpamAssassin::Plugin::Shortcircuit
report Content analysis details:   (_SCORE_ points, _REQD_ required, s/c _SCTYPE_)

ifplugin Mail::SpamAssassin::Plugin::Shortcircuit

# always log shortcircuit status
add_header all Status "_YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ shortcircuit=_SCTYPE_ autolearn=_AUTOLEARN_ version=_VERSION_"

# Note: add_header statement should be on one line..., your browser might snap that in two

# Trusted newsletters
meta      SC_NEWSLETTER (HAM001||HAM002||HAM003)
priority  SC_NEWSLETTER -500
shortcircuit SC_NEWSLETTER on
score     SC_NEWSLETTER 0.1

# JADA Newsletter
header  __HAM001_FROM Return-Path =~ /.*nce\.j\.c\@b\.jada\.com/
header  __HAM001_SNDR Received =~ /123\.234\.123\./
meta      HAM001      (__HAM001_FROM && __HAM001_SNDR)
score     HAM001      0.1
describe  HAM001      Newsletter from jadajada

# YON YetAnotherNewsletter
header  __HAM002_FROM From =~ /.*munication-briefs\@yon\.com/
header  __HAM002_SNDR Received =~ /12\.13\.14\.1/
meta      HAM002      (__HAM002_FROM && __HAM002_SNDR)
score     HAM002      0.1
describe  HAM002      Newsletter from YetAnotherNewsletter

# MoreNice stuff (debugged)
header  __HAM003_FROM Return-Path =~ /.*\@mail\.morenice\.com|bounce\.j\.c\@.*/
header  __HAM003_SNDR Received =~ /198\.99\.245\./
meta      HAM003      (__HAM003_FROM && __HAM003_SNDR)
score     HAM003      0.1
describe  HAM003      Newsletter delivered by MoreNice stuff

endif

So, a check on Return-Path, combined with the ip address where it comes from, to reasonably prevent any abuse of the shortcut, and a hit results in no more handling by SA and prevent any further CPU load. Given the nature of 'pushy' newsletter-senders, it prevents CPU spikes when some newsletters come in bulk on the electronic doormat. Other then shortcircuiting and saving CPU cycles, it also prevents any false positives on the few selected 'special' newsletters here.

On Fri, Oct 30, 2009 at 02:21:10AM -0700, Mynabbler wrote:
>
>
> Alex-325 wrote:
> > I'm interested in experimenting with shortcircuiting, and wondered if
> > anyone had some examples they're using that they could share?
> We are using it to shortcircuit HAM and prevent blowing CPU cycles on
> newsletters that people expect to never contain spam. So, there is a
> 'shortcircuit.cf' that lives in /etc/mail/spamassassin and looks like this:


For the record, if you want to save even more resources, here are some
thoughts for even quicker shortcircuiting without DNS queries sent etc.

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5930