You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Zinski, Steve" <sz...@richmond.edu> on 2015/07/15 22:12:01 UTC
Large spam
We're starting to see a lot of spam in the 800KB to 1.2MB size range. I’m running MIMEdefang and it’s configured to skip messages larger than 100KB (and I hesitate to increase the limit due to performance issues). I read somewhere that there’s a way to have MIMEdefang (or spamassassin) strip out the non-text portions of the e-mail and scan. Can anyone help me set this up or point me in the right direction? Thanks!
Re: Large spam
Posted by Jude DaShiell <jd...@panix.com>.
I don't know if someone can help me on a question about message
components naming but if you can I think I know how to defeat this large
spam. Before a message gets opened there is I'll call it a tag like
make money fast you'll read and this is not on the Subject: line either.
It was those tags I filtered on and managed to send lots of it to
/dev/null. None of these filters would or could learn from it and
eventually those fields started showing foreign characters too. I never
did find out the name of that field otherwise I could have written
procmail filters for all of it. I hope this helps someone.
On Wed, 15 Jul 2015, Ian Zimmerman wrote:
> Date: Wed, 15 Jul 2015 16:42:28
> From: Ian Zimmerman <it...@buug.org>
> To: users@spamassassin.apache.org
> Subject: Re: Large spam
>
> On 2015-07-15 20:12 +0000, Zinski, Steve wrote:
>
>> We're starting to see a lot of spam in the 800KB to 1.2MB size
>> range. I?m running MIMEdefang and it?s configured to skip messages
>> larger than 100KB (and I hesitate to increase the limit due to
>> performance issues). I read somewhere that there?s a way to have
>> MIMEdefang (or spamassassin) strip out the non-text portions of the
>> e-mail and scan. Can anyone help me set this up or point me in the
>> right direction? Thanks!
>
> Yes, I see the same thing. I have no doubt at all that it is
> intentional, to defeat spamc size limit in particular.
>
> Moreover, mimedefang won't help because at least some of them are
> disguised as plain text messages. That is, the outermost message body
> is an entire MIME message, headers and all.
>
>
--
Re: Large spam
Posted by Ian Zimmerman <it...@buug.org>.
On 2015-07-15 20:12 +0000, Zinski, Steve wrote:
> We're starting to see a lot of spam in the 800KB to 1.2MB size
> range. I’m running MIMEdefang and it’s configured to skip messages
> larger than 100KB (and I hesitate to increase the limit due to
> performance issues). I read somewhere that there’s a way to have
> MIMEdefang (or spamassassin) strip out the non-text portions of the
> e-mail and scan. Can anyone help me set this up or point me in the
> right direction? Thanks!
Yes, I see the same thing. I have no doubt at all that it is
intentional, to defeat spamc size limit in particular.
Moreover, mimedefang won't help because at least some of them are
disguised as plain text messages. That is, the outermost message body
is an entire MIME message, headers and all.
--
Please *no* private copies of mailing list or newsgroup messages.
Rule 420: All persons more than eight miles high to leave the court.
Re: Large spam
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 15 Jul 2015, at 16:12, Zinski, Steve wrote:
> We're starting to see a lot of spam in the 800KB to 1.2MB size range.
> I’m running MIMEdefang and it’s configured to skip messages larger
> than 100KB (and I hesitate to increase the limit due to performance
> issues). I read somewhere that there’s a way to have MIMEdefang (or
> spamassassin) strip out the non-text portions of the e-mail and scan.
> Can anyone help me set this up or point me in the right direction?
> Thanks!
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang may get you
to a set of users who have a known-good solution. There's some overlap
with this list but it certainly isn't complete.
It is possible to have MD do careful surgery on the MIME structure of a
message and leave only the text part(s) and then reinitialize the SA
testing object with the excised message, but I don't have working code
for that. The last time I did anything substantial in my
mimedefang-filter related to SA testing I was a mumbling lunatic for a
week, so I will pass on trying a Q&D implementation for you (although it
is something I'd kinda like myself...) and that's a good thing.
An alternative that has worked well for me is to use MD as a gatekeeper
for more subtle policies on large files than most MTAs can directly
provide. If $Sender is from a domain whose putative users have a history
of sending bloated spam, I reject anything big outright. If the file has
a double extension (other than .tar.gz and a few other exemptions) or
any of a long list of extensions that map to common Windows malware
vectors I reject the mail outright from anywhere except a handful of
trusted senders OR is sent to a handful of careful users who have asked
for exemptions and know the risks. Those approaches might not fit your
environment (scale being an issue...) but since MD's 'configuration
file' is really just a pile of Perl subroutine implementations, you
don't need to focus solely on the SA linkage to sniff out spam. For
example, I don't need SA scanning to know that if a live.com sender is
claimed for a message coming from a yahoo.com SMTP client and it has 3
lines of text and a 350KB attachment, nobody wants that mail.
FINALLY: keep in mind that MD's defaults and warnings about performance
of SA scanning of large messages have changed little (none?) in a
decade. Typical memory and processor specs on servers have. It's
probably still wise to have a limit on size passed to SA, but it
probably doesn't need to be 100k. Again, your scale needs to be taken
into account, but I have limits at 200k for "sewer rats" and 500k for
everyone else, and I can't see any sign of that choking a very modest
server when big things do get scanned.
Re: Large spam
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 7/15/2015 4:12 PM, Zinski, Steve wrote:
> We're starting to see a lot of spam in the 800KB to 1.2MB size range. I’m running MIMEdefang and it’s configured to skip messages larger than 100KB (and I hesitate to increase the limit due to performance issues). I read somewhere that there’s a way to have MIMEdefang (or spamassassin) strip out the non-text portions of the e-mail and scan. Can anyone help me set this up or point me in the right direction? Thanks!
See http://www.gossamer-threads.com/lists/spamassassin/users/191839 for
some ideas on the matter but basically I build another copy of the email
truncated and/or removing parts I don't want to scan to get to a file
size I want to scan. You could look at doing that with MIME::Tools or
just hard truncate the copy at a specific size.
Regards,
KAM