Max SpamAssassin Size problems

Anthony Peacock a.peacock at chime.ucl.ac.uk
Thu Aug 24 08:57:30 IST 2006 

Hi,

Julian Field wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> Kash, Howard (Civ, ARL/CISD) wrote:
>>> Instead of the closest following MIME boundary, how about the closest 
>>> following blank line (or line that only contains whitespace). Would
>> that 
>>> be okay?
>>
>> That sounds like an OK fix for the images.  The plugins don't care about
>> the closing MIME boundary, they just need the full base64 encoding
>> present, which, as far as I know, shouldn't contain any blank lines.
>> The only issue I can think of is if you hit the "Max SpamAssassin Size"
>> limit in the middle of the MIME header.  Then your next blank line would
>> be between the header and the contents and you're left with a header but
>> no contents.  That would probably still trigger a corrupt image rule,
>> but should be pretty rare.
>>
>> SA does have a MIME_MISSING_BOUNDRY rule, but it has a default score of
>> zero in at least the 3.1 releases.
> 
> Sounds survivable. After the limit I will keep going until I hit the 
> first line that only contains white space.
> 
> All done. Will be in the next beta.
> *Please* test this functionality after I release this beta.

I have been watching this discussion with a growing uneasiness.  I could 
be wrong but doesn't this behaviour open up the system to problems with 
huge image files...

I understand that lots of people are concerned about these gif only 
spams, and that a lot of effort is going into creating the SA plugns 
that OCR them, etc (I am on the sa-users list as well :-)), but I think 
this change creates a means to bypass the max size setting, and could 
lead to the very problems that that setting was meant to prevent.

The Max Msg Size setting is there so that we can tune how our systems 
work, preventing them being brought their knees by SA trying to scan 
huge emails.  It feels like the new scheme is saying to the admin, well 
you can set a max msg size but we will ignore that if the msg has an 
image at that point.

By changing the code as you describe there is now nothing to stop a 
malicious sender creating an email with a huge JPG file which then gets 
sent complete to SA, a few raw body rules later SA starts taking forever 
to scan emails.  Receive many of these and the mail server begins to crawl.

Wouldn't it be better to roll the massage back to the starting MIME 
boundary?  This way a broken gif image is not passed to SA so the 
plugins don't complain, but all messages are smaller than the max 
message size set by the admin.

I may misunderstand how this works, so I am waiting to be corrected :-)

-- 
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
"If you have an apple and I have  an apple and we  exchange apples
then you and I will still each have  one apple. But  if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas." -- George Bernard Shaw

More information about the MailScanner mailing list