Max SpamAssassin Size problems

Alex Broens ms-list at alexb.ch
Wed Aug 30 13:27:02 IST 2006 

On 8/30/2006 11:52 AM, Julian Field wrote:
> 
> 
> Alex Broens wrote:
>> On 8/28/2006 6:26 PM, Julian Field wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Res wrote:
>>>> On Sun, 27 Aug 2006, DAve wrote:
>>>>
>>>>> I for one want no part of a plugin that requires I send every 
>>>>> single message in it's entirety to SA every time. I'd be DOS'ed 
>>>>> within a month. I also think
>>>> Agreed
>>>
>>> I thoroughly agree that we shouldn't send the whole message. If you 
>>> want to do that, just set Max SpamAssassin Size = 500m :-)
>>>
>>> I'm trying to come up with a compromise that keeps most of you happy 
>>> most of the time. See my recent "--- round 2" posting.
>>
>> Julian,
>>
>> Probably late & lame with this observation:
>>
>>
>> Why not adopt the same logic as from ths spamc -s switch
>>
>>     -s *max_size*
>>         Set the maximum message size which will be sent to spamd -- any
>>         bigger than this threshold and the message will be returned
>>         unprocessed (default: 250 KB). If spamc gets handed a message 
>> bigger
>>         than this, it won't be passed to spamd.
>>
>>         The size is specified in bytes, as a positive integer greater 
>> than
>>         0. For example, -s 250000.
>>
>> This means the full message size and will not distort the SA scanning 
>> if only part of the msg is scanned (and possibly misclasified)
> I don't like that, as most spam can be identified by the first 20k, and 
> your idea would let through large spam.

those were the days .... many img spams have a img payload of 30k, 2k of 
gibberish + a URL. See it every day... how do you know you'd be catching 
all of them?

Aslo, your method often causes FPs with SA obfuscation rules hitting the 
first eg: 20kb of a 300kb PDF attachment (when the sender isn't a nice 
MUA), or a some SA plugin doesn't work properly coz it gets truncated data.
Standard SA would not touch such msg in the first place and avoided a 
misfire.

Rule misfire also applies to other attachement types in not 100% pretty 
MIME formats, and there's LOTS of those around.

If possible, a configurable option for whatever behaviour would be most 
appreciated for those who want to taste MailScanner or vanilla SA behaviour.

As a MS noobie, I'm surprised this issue hasn't been raised before.

thanks

Alex

More information about the MailScanner mailing list