Max SpamAssassin Size problems

Anthony Peacock a.peacock at chime.ucl.ac.uk
Thu Aug 24 17:06:23 IST 2006 

Hi,

Kash, Howard (Civ, ARL/CISD) wrote:
>> do I chop half way through an image?
>> do I chop at the end of an image?
>> do I carry on for a max of 100 lines of Base64 data or until the end
> of 
>> an image, which is earlier?
> 
> If I had to choose between these three, I would choose the second.  But
> I also like Glenn's suggestion of a new configuration option that
> switches between current behavior (first option) and the second option.
> Maybe something like adding a "+" sign after the Max Spamassassin Size
> number would mean "limit size to this value or to the end of the current
> MIME boundary".
> 
> If you do keep the entire image, does this really add to spamassassin's
> load?  In other words, will spamassassin do any processing (i.e. regex
> searches) on the additional image data or is it smart enough to ignore
> the contents of a base64 encoded attachment (unless specifically
> analyzed by a plugin)?

Rules with a type of 'full' work on the whole of the message without any 
splitting out of MIME contents.  From the docs:

"full SYMBOLIC_TEST_NAME /pattern/modifiers
     Define a full message pattern test. pattern is a Perl regular 
expression. Note: as per the header tests, # must be escaped (\#) or 
else it is considered the beginning of a comment.

     The full message is the pristine message headers plus the pristine 
message body, including all MIME data such as images, other attachments, 
MIME boundaries, etc."

The standard SA rules do use full, but only in some limited cases.  The 
SARE rules use full particularly where they are looking for MIME 
boundary or HTML patterns.

So the chances are that there will be some rules that are run against 
the whole of the data passed to SA.  Which is why SA recommends that you 
limit the amount of data passed to it for scanning.

If the code was chopping at the end of an image (ie until it found a 
MIME boundary or a blank line.  It would be very easy for someone to 
craft an email message that had a starting boundary claiming to be an 
image type, but then pumped 100s of Mb without an ending boundary. 
There _HAS_ to be a limit to this.


-- 
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
"If you have an apple and I have  an apple and we  exchange apples
then you and I will still each have  one apple. But  if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas." -- George Bernard Shaw

More information about the MailScanner mailing list