Problems with Max SpamAssassin Size and MIME_MISSING_BOUNDARY (was Re: message size rule?)

Tue May 18 14:50:36 IST 2004

Hi people,

I just added this info to the faqomatic at:
http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?file=334
along with a patch for SpamAssassin 2.63

El 18 May 2004 a las 9:29, Mariano Absatz escribió:

> Well,
> 
> I never got an answer to this one, so I did it by myself as I could and it 
> works...
> 
> One question remains, if I have to add an eval test, the best way to do it is 
> to just edit EvalTests.pm?
> 
> Wouldn't it be nicer to have a user functions file or directory for that 
> purpose?
> 
> Well, anyway, here it goes, I added this small patch to EvalTests.pm:
> 
> @@ -2920,4 +2920,24 @@
>    0;
>  }
> 
> +sub ale_msg_size {
> +  #use Mail::SpamAssassin::NoMailAudit;
> +  my ($self, $msg, $min, $max) = @_;
> +
> +  use Data::Dumper;
> +
> +  #my $size = length($$msg);
> +  my $size = length($self->{msg}->as_string());
> +
> +  dbg ("ale_msg_size - msg_size: $size - min: $min - max: $max");
> +  #dbg ("MENSAJE: $$msg");
> +
> +  if($max) {
> +    return ($size >= $min and $size < $max);
> +  }
> +  else {
> +    return ($size >= $min);
> +  }
> +}
> +
>  1;
> 
> 
> Now, since I have a configuration in MailScanner that cuts messages at just 
> above 100,000 bytes, I added the following rules to SpamAssassin:
> 
> full __ALE_SIZE_100K_LARGE eval:ale_msg_size('100000')
> describe __ALE_SIZE_100K_LARGE Message size larger than 100K
> tflags __ALE_SIZE_100K_LARGE nice
> 
> meta ALE_COMPENS_MIME_BOUND  (MIME_MISSING_BOUNDARY && __ALE_SIZE_100K_LARGE)
> describe ALE_COMPENS_MIME_BOUND Compensate MIME_MISSING_BOUNDARY
> score ALE_COMPENS_MIME_BOUND  -1.179 -0.803 -0.01 -1.838
> 
> (the scores are the inversed scores for MIME_MISSING_BOUNDARY in 2.63)
> 
> El 14 May 2004 a las 15:29, Mariano Absatz escribió:
> 
> > Hi there,
> > 
> > are there rules to check the size of a message? 
> > 
> > Or can these be easily constructed?
> > 
> > We're using SpamAssassin as a library from within MailScanner. This is called 
> > for every message passing thru a mail server, so, for heavy used servers, 
> > there was an option to not call SA when the message was larger than a 
> > configured size.
> > 
> > After a while, this mechanism changed and now the messages are truncated to 
> > that size before invoking SA.
> > 
> > The problem is that, usually, large messages are MIME multipart and, when you 
> > truncate a MIME multipart message, you will almost surely hit 
> > MIME_MISSING_BOUNDARY since you cut off at least one closing MIME boundary.
> > 
> > Now, I don't want to lower the score for this rule since there's a lot of 
> > spam whose MIME is mangled and this rule is quite good.
> > 
> > What I'd like to do is to have a 'nice' rule to compensate this rule on 
> > messages above a configured size.
> > 
> > If this is not readily possible, I'd like to know where's the correct place 
> > to add custom eval test. You just edit EvalTest.pm?
> > 
> > TIA

--
Mariano Absatz
El Baby
----------------------------------------------------------
I started out with nothing & still have most of it left.

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html