Suggestions to block big spam messages

[shuttlebox]

On Thu, Jan 29, 2009 at 1:15 PM, Kai Schaetzl <maillists at conactive.com> wrote:
> If it only gets fed part of it probably not as the image is then cut in
> half. I actually don't know what MS does in such a situation. e.g. if it
> detects that the message is encoded and scanning only part of it is of no
> use or if SA skips binary parts anyway etc.

The comment for Max SpamAssassin Size explains how it works:

# SpamAssassin is not very fast when scanning huge messages, so messages
# bigger than this value will be truncated to this length for SpamAssassin
# testing. The original message will not be affected by this. This value
# is a good compromise as very few spam messages are bigger than this.
#
# Now for the options:
# 1) <length of data in bytes>
# 2) <length of data in bytes> trackback
# 3) <length of data in bytes> continue <max extra bytes allowed>
#
# 1) Put in a simple number.
#    This will be the simple cut-off point for messages that are larger than
#    this number.
# 2) Put in a number followed by 'trackback'.
#    Once the size limit is reached, MailScanner reverses towards the start
#    of the message, until it hits a line that is blank. The message passed
#    to SpamAssassin is truncated there. This stops any part-images being
#    passed to SpamAssassin, and so avoids rules which trigger on this.
# 3) Put in a number followed by 'continue' followed by another number.
#    Once the size limit is reached, MailScanner continues adding to the data
#    passed to SpamAssassin, until at most the 2nd number of bytes have been
#    added looking for a blank line. This tries to complete the image data
#    that has been started when the 1st number of bytes has been reached,
#    while imposing a limit on the amount that can be added (to avoid attacks).
#
# If all this confuses you, just leave it alone at "40k" as that is good.
Max SpamAssassin Size = 50000 trackback

-- 
/peter