message size rule?

Mariano Absatz mailscanner at LISTS.COM.AR
Tue May 18 13:29:41 IST 2004


Well,

I never got an answer to this one, so I did it by myself as I could and it 
works...

One question remains, if I have to add an eval test, the best way to do it is 
to just edit EvalTests.pm?

Wouldn't it be nicer to have a user functions file or directory for that 
purpose?

Well, anyway, here it goes, I added this small patch to EvalTests.pm:

@@ -2920,4 +2920,24 @@
   0;
 }

+sub ale_msg_size {
+  #use Mail::SpamAssassin::NoMailAudit;
+  my ($self, $msg, $min, $max) = @_;
+
+  use Data::Dumper;
+
+  #my $size = length($$msg);
+  my $size = length($self->{msg}->as_string());
+
+  dbg ("ale_msg_size - msg_size: $size - min: $min - max: $max");
+  #dbg ("MENSAJE: $$msg");
+
+  if($max) {
+    return ($size >= $min and $size < $max);
+  }
+  else {
+    return ($size >= $min);
+  }
+}
+
 1;


Now, since I have a configuration in MailScanner that cuts messages at just 
above 100,000 bytes, I added the following rules to SpamAssassin:

full __ALE_SIZE_100K_LARGE eval:ale_msg_size('100000')
describe __ALE_SIZE_100K_LARGE Message size larger than 100K
tflags __ALE_SIZE_100K_LARGE nice

meta ALE_COMPENS_MIME_BOUND  (MIME_MISSING_BOUNDARY && __ALE_SIZE_100K_LARGE)
describe ALE_COMPENS_MIME_BOUND Compensate MIME_MISSING_BOUNDARY
score ALE_COMPENS_MIME_BOUND  -1.179 -0.803 -0.01 -1.838

(the scores are the inversed scores for MIME_MISSING_BOUNDARY in 2.63)

El 14 May 2004 a las 15:29, Mariano Absatz escribió:

> Hi there,
> 
> are there rules to check the size of a message? 
> 
> Or can these be easily constructed?
> 
> We're using SpamAssassin as a library from within MailScanner. This is called 
> for every message passing thru a mail server, so, for heavy used servers, 
> there was an option to not call SA when the message was larger than a 
> configured size.
> 
> After a while, this mechanism changed and now the messages are truncated to 
> that size before invoking SA.
> 
> The problem is that, usually, large messages are MIME multipart and, when you 
> truncate a MIME multipart message, you will almost surely hit 
> MIME_MISSING_BOUNDARY since you cut off at least one closing MIME boundary.
> 
> Now, I don't want to lower the score for this rule since there's a lot of 
> spam whose MIME is mangled and this rule is quite good.
> 
> What I'd like to do is to have a 'nice' rule to compensate this rule on 
> messages above a configured size.
> 
> If this is not readily possible, I'd like to know where's the correct place 
> to add custom eval test. You just edit EvalTest.pm?
> 
> TIA

--
Mariano Absatz
El Baby
----------------------------------------------------------
I've never met a human being who would want to read 17,000 pages
of documentation, and if there was, I'd kill him to get him out
of the gene pool.
                   -- Joseph Costello, President of Cadence

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html




More information about the MailScanner mailing list