Max SpamAssassin Size problems

Ken A ka at pacific.net
Mon Aug 28 20:54:36 IST 2006 


Kash, Howard (Civ, ARL/CISD) wrote:
>  
>> I still do not believe this is a problem that MailScanner needs to
> fix.
>> The plugin is 'assuming' it will always be handed a complete message 
>> from all past and future programs using SA, and that the message will 
>> never be truncated/mangled/poorly constructed for any reason. Whether 
>> that reason is a software failure, hardware failure, or system 
>> configuration.
> 
> 
> And MailScanner is 'assuming' that it is OK to send partial messages to
> SA.  Since there is no defined protocol here, neither one is necessarily
> wrong.  But there are existing SA checks and plugins that assume entire
> messages are being passed.  Maybe SA needs to implement DoS protection
> itself so that MailScanner (or any other program) can safely send entire
> messages without risk of resource exhaustion.  SA sort-of does this
> already with the -s switch to spamc as pointed out by Alex.  But it's an
> all or nothing limit, not truncate in the middle.  Maybe MailScanner's
> "Max SpamAssassin Size" should be an all or nothing limit as suggested
> by Alex (messages < Max SpamAssassin Size get sent to SA in their
> entirety, messages > Max SpamAssassin Size don't get sent to SA at all).
> This would probably be a one-liner mod to MS.

That's what it was originally, iirc. Sending partial messages was 
thought to better though, since spam can usually be detected in the 
first x bytes, even if a message goes over the limit. This way the limit 
could be set somewhat lower than if you only passed whole messages.

> 
> Based on SPAM blocked by my server last Thursday, only slightly over
> 1.7% of them (565/33002) are over 30k.  Using 60k as the limit, the
> percentage drops to 1.1% (350/33002).  90k = 0.3% (85/33002).  And most
> of those larger ones are not your typical SPAM, but things like chain
> letters, jokes with videos, etc. which some may consider HAM anyway.

So, from a plugin's perspective, a broken image encountered in the first 
"Max SpamAssassin Size" is really broken, and an image found after that 
is probably accidentally (on purpose) broken by MailScanner or other SA 
user.

Ken A.
Pacific.Net

> 
> Howard
>

More information about the MailScanner mailing list