Large spam

["Zinski, Steve" <sz...@richmond.edu>]

We're starting to see a lot of spam in the 800KB to 1.2MB size range. I’m running MIMEdefang and it’s configured to skip messages larger than 100KB (and I hesitate to increase the limit due to performance issues). I read somewhere that there’s a way to have MIMEdefang (or spamassassin) strip out the non-text portions of the e-mail and scan. Can anyone help me set this up or point me in the right direction? Thanks!

Re: Large spam

[Jude DaShiell <jd...@panix.com>]

I don't know if someone can help me on a question about message 
components naming but if you can I think I know how to defeat this large 
spam.  Before a message gets opened there is I'll call it a tag like 
make money fast you'll read and this is not on the Subject: line either.
  It was those tags I filtered on and managed to send lots of it to 
/dev/null.  None of these filters would or could learn from it and 
eventually those fields started showing foreign characters too.  I never 
did find out the name of that field otherwise I could have written 
procmail filters for all of it.  I hope this helps someone.

On Wed, 15 Jul 2015, Ian Zimmerman wrote:

> Date: Wed, 15 Jul 2015 16:42:28
> From: Ian Zimmerman <it...@buug.org>
> To: users@spamassassin.apache.org
> Subject: Re: Large spam
> 
> On 2015-07-15 20:12 +0000, Zinski, Steve wrote:
>
>> We're starting to see a lot of spam in the 800KB to 1.2MB size
>> range. I?m running MIMEdefang and it?s configured to skip messages
>> larger than 100KB (and I hesitate to increase the limit due to
>> performance issues). I read somewhere that there?s a way to have
>> MIMEdefang (or spamassassin) strip out the non-text portions of the
>> e-mail and scan. Can anyone help me set this up or point me in the
>> right direction? Thanks!
>
> Yes, I see the same thing.  I have no doubt at all that it is
> intentional, to defeat spamc size limit in particular.
>
> Moreover, mimedefang won't help because at least some of them are
> disguised as plain text messages.  That is, the outermost message body
> is an entire MIME message, headers and all.
>
>

-- 

Re: Large spam

[Ian Zimmerman <it...@buug.org>]

On 2015-07-15 20:12 +0000, Zinski, Steve wrote:

> We're starting to see a lot of spam in the 800KB to 1.2MB size
> range. I’m running MIMEdefang and it’s configured to skip messages
> larger than 100KB (and I hesitate to increase the limit due to
> performance issues). I read somewhere that there’s a way to have
> MIMEdefang (or spamassassin) strip out the non-text portions of the
> e-mail and scan. Can anyone help me set this up or point me in the
> right direction? Thanks!

Yes, I see the same thing.  I have no doubt at all that it is
intentional, to defeat spamc size limit in particular.

Moreover, mimedefang won't help because at least some of them are
disguised as plain text messages.  That is, the outermost message body
is an entire MIME message, headers and all.

-- 
Please *no* private copies of mailing list or newsgroup messages.
Rule 420: All persons more than eight miles high to leave the court.

Re: Large spam

[Bill Cole <sa...@billmail.scconsult.com>]

On 15 Jul 2015, at 16:12, Zinski, Steve wrote:

> We're starting to see a lot of spam in the 800KB to 1.2MB size range. 
> I’m running MIMEdefang and it’s configured to skip messages larger 
> than 100KB (and I hesitate to increase the limit due to performance 
> issues). I read somewhere that there’s a way to have MIMEdefang (or 
> spamassassin) strip out the non-text portions of the e-mail and scan. 
> Can anyone help me set this up or point me in the right direction? 
> Thanks!

http://lists.roaringpenguin.com/mailman/listinfo/mimedefang may get you 
to a set of users who have a known-good solution. There's some overlap 
with this list but it certainly isn't complete.

It is possible to have MD do careful surgery on the MIME structure of a 
message and leave only the text part(s) and then reinitialize the SA 
testing object with the excised message, but I don't have working code 
for that. The last time I did anything substantial in my 
mimedefang-filter related to SA testing I was a mumbling lunatic for a 
week, so I will pass on trying a Q&D implementation for you (although it 
is something I'd kinda like myself...) and that's a good thing.

An alternative that has worked well for me is to use MD as a gatekeeper 
for more subtle policies on large files than most MTAs can directly 
provide. If $Sender is from a domain whose putative users have a history 
of sending bloated spam, I reject anything big outright. If the file has 
a double extension (other than .tar.gz and a few other exemptions) or 
any of a long list of extensions that map to common Windows malware 
vectors I reject the mail outright from anywhere except a handful of 
trusted senders OR is sent to a handful of careful users who have asked 
for exemptions and know the risks. Those approaches might not fit your 
environment (scale being an issue...) but since MD's 'configuration 
file' is really just a pile of Perl subroutine implementations, you 
don't need to focus solely on the SA linkage to sniff out spam. For 
example, I don't need SA scanning to know that if a live.com sender is 
claimed for a message coming from a yahoo.com SMTP client and it has 3 
lines of text and a 350KB attachment, nobody wants that mail.

FINALLY: keep in mind that MD's defaults and warnings about performance 
of SA scanning of large messages have changed little (none?) in a 
decade. Typical memory and processor specs on servers have. It's 
probably still wise to have a limit on size passed to SA, but it 
probably doesn't need to be 100k. Again, your scale needs to be taken 
into account, but I have limits at 200k for "sewer rats" and 500k for 
everyone else, and I can't see any sign of that choking a very modest 
server when big things do get scanned.

Re: Large spam

["Kevin A. McGrail" <KM...@PCCC.com>]

On 7/15/2015 4:12 PM, Zinski, Steve wrote:
> We're starting to see a lot of spam in the 800KB to 1.2MB size range. I’m running MIMEdefang and it’s configured to skip messages larger than 100KB (and I hesitate to increase the limit due to performance issues). I read somewhere that there’s a way to have MIMEdefang (or spamassassin) strip out the non-text portions of the e-mail and scan. Can anyone help me set this up or point me in the right direction? Thanks!
See http://www.gossamer-threads.com/lists/spamassassin/users/191839 for 
some ideas on the matter but basically I build another copy of the email 
truncated and/or removing parts I don't want to scan to get to a file 
size I want to scan.  You could look at doing that with MIME::Tools or 
just hard truncate the copy at a specific size.

Regards,
KAM