Max SpamAssassin Size problems
Anthony Peacock
a.peacock at chime.ucl.ac.uk
Thu Aug 24 17:06:23 IST 2006
Hi,
Kash, Howard (Civ, ARL/CISD) wrote:
>> do I chop half way through an image?
>> do I chop at the end of an image?
>> do I carry on for a max of 100 lines of Base64 data or until the end
> of
>> an image, which is earlier?
>
> If I had to choose between these three, I would choose the second. But
> I also like Glenn's suggestion of a new configuration option that
> switches between current behavior (first option) and the second option.
> Maybe something like adding a "+" sign after the Max Spamassassin Size
> number would mean "limit size to this value or to the end of the current
> MIME boundary".
>
> If you do keep the entire image, does this really add to spamassassin's
> load? In other words, will spamassassin do any processing (i.e. regex
> searches) on the additional image data or is it smart enough to ignore
> the contents of a base64 encoded attachment (unless specifically
> analyzed by a plugin)?
Rules with a type of 'full' work on the whole of the message without any
splitting out of MIME contents. From the docs:
"full SYMBOLIC_TEST_NAME /pattern/modifiers
Define a full message pattern test. pattern is a Perl regular
expression. Note: as per the header tests, # must be escaped (\#) or
else it is considered the beginning of a comment.
The full message is the pristine message headers plus the pristine
message body, including all MIME data such as images, other attachments,
MIME boundaries, etc."
The standard SA rules do use full, but only in some limited cases. The
SARE rules use full particularly where they are looking for MIME
boundary or HTML patterns.
So the chances are that there will be some rules that are run against
the whole of the data passed to SA. Which is why SA recommends that you
limit the amount of data passed to it for scanning.
If the code was chopping at the end of an image (ie until it found a
MIME boundary or a blank line. It would be very easy for someone to
craft an email message that had a starting boundary claiming to be an
image type, but then pumped 100s of Mb without an ending boundary.
There _HAS_ to be a limit to this.
--
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW: http://www.chime.ucl.ac.uk/~rmhiajp/
"If you have an apple and I have an apple and we exchange apples
then you and I will still each have one apple. But if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas." -- George Bernard Shaw
More information about the MailScanner
mailing list