a question for exiscan and exim users

[Justin Mason <jm...@jmason.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Recently we've been seeing a *lot* of Exim users asking questions
(here and on IRC) about spamd chewing up massive quantities of
RAM.

It appears that Exiscan has now become part of Exim by default,
and it also appears that (at least in the default exiscan patch)
it doesn't modify the config files directly to add itself to
the MTA's flow.

Is there a possibility that in default Exim setups, or default
OS-specific Exim packages, the exiscan config lines are being
inserted *without* the required message size limits, thereby
allowing massive emails to be scanned by SpamAssassin?  that
would inflate scanner sizes nonlinearly (and is always a no-no
with SpamAssassin).

Here's what I mean.  here's a good configuration stanza:

  deny message = Classified as spam (score $spam_score)
     condition = ${if <{$message_size}{300k}{1}{0}}
     spam = nobody

and here's a bad one:

  deny message = Classified as spam (score $spam_score)
     spam = nobody

(note the lack of the "{$message_size}" condition line.)

I'd appreciate if a few Exim wizzes -- and users of Exim/exiscan
on various platforms -- take a quick grep for "spam =" in
their config files and see if they're missing the key line
anywhere.

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFCl3loMJF5cimLx9ARApxmAJoCLoBbeM4x4eYVF+JZe7LjmDYudQCbBe6u
mxEL65GioSftGtAs5IeyKH0=
=6yeL
-----END PGP SIGNATURE-----

Re: [OT] Re: a question for exiscan and exim users

[Steven Dickenson <st...@mrchuckles.net>]

Craig Jackson wrote:
>> Is there a possibility that in default Exim setups, or default
>> OS-specific Exim packages, the exiscan config lines are being
>> inserted *without* the required message size limits, thereby
>> allowing massive emails to be scanned by SpamAssassin?  that
>> would inflate scanner sizes nonlinearly (and is always a no-no
>> with SpamAssassin).
> 
> I use the condition. My question is that if you use the condition in the 
> first scan, do you need it in subsequent scans:

Yes.

If the spam checks are the last thing in your data ACL, you can include 
a single accept statement before the spam statements for all messages 
over your size limit.  That way spam scanning is skipped altogether 
(since the message has been accepted be this new statement).

Something like this.

   accept condition = ${if >{$message_size}{150k}{1}{0}}

Before all of your spam = whatever statements.

- S

[OT] Re: a question for exiscan and exim users

[Craig Jackson <cj...@localsurface.com>]

Justin Mason wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Recently we've been seeing a *lot* of Exim users asking questions
> (here and on IRC) about spamd chewing up massive quantities of
> RAM.
> 
> It appears that Exiscan has now become part of Exim by default,
> and it also appears that (at least in the default exiscan patch)
> it doesn't modify the config files directly to add itself to
> the MTA's flow.
> 
> Is there a possibility that in default Exim setups, or default
> OS-specific Exim packages, the exiscan config lines are being
> inserted *without* the required message size limits, thereby
> allowing massive emails to be scanned by SpamAssassin?  that
> would inflate scanner sizes nonlinearly (and is always a no-no
> with SpamAssassin).
> 
> Here's what I mean.  here's a good configuration stanza:
> 
>   deny message = Classified as spam (score $spam_score)
>      condition = ${if <{$message_size}{300k}{1}{0}}
>      spam = nobody
> 
> and here's a bad one:
> 
>   deny message = Classified as spam (score $spam_score)
>      spam = nobody
> 
> (note the lack of the "{$message_size}" condition line.)
> 
> I'd appreciate if a few Exim wizzes -- and users of Exim/exiscan
> on various platforms -- take a quick grep for "spam =" in
> their config files and see if they're missing the key line
> anywhere.

I use the condition. My question is that if you use the condition in the 
first scan, do you need it in subsequent scans:

   # Spamassassin
    warn  message = X-Cheetah-Spam: True
          condition = ${if ! def:h_X-Cheetah-Spam:}
          condition = ${if <{$message_size}{200k}{1}{0}}
          spam = mail/defer_ok

    warn  message = X-Cheetah-Score: $spam_score ($spam_bar)
          condition = ${if ! def:h_X-Cheetah-Spam:}
          condition = ${if <{$message_size}{200k}{1}{0}}
          spam = mail:true/defer_ok

    warn  message = X-Cheetah-Report: $spam_report
          condition = ${if ! def:h_X-Cheetah-Spam:}
          condition = ${if <{$message_size}{200k}{1}{0}}
          spam = mail:true/defer_ok

Thanks
Craig Jackson

Re: a question for exiscan and exim users

[Steven Dickenson <st...@mrchuckles.net>]

Justin Mason wrote:
> It appears that Exiscan has now become part of Exim by default,
> and it also appears that (at least in the default exiscan patch)
> it doesn't modify the config files directly to add itself to
> the MTA's flow.

This is correct.  The shipped configuration file doesn't include any 
exiscan features.  In fact, as shipped Exim won't build with the content 
scanning features unless you add a statement to the local Makefile.

> Is there a possibility that in default Exim setups, or default
> OS-specific Exim packages, the exiscan config lines are being
> inserted *without* the required message size limits, thereby
> allowing massive emails to be scanned by SpamAssassin?  that
> would inflate scanner sizes nonlinearly (and is always a no-no
> with SpamAssassin).

As mentioned above, the shipped config files don't include any content 
scanning features.  The 4.5 Debian packages include commented out 
options for specifying spamd's IP/socket, but don't include any ACL 
statements.

> Here's what I mean.  here's a good configuration stanza:
> 
>   deny message = Classified as spam (score $spam_score)
>      condition = ${if <{$message_size}{300k}{1}{0}}
>      spam = nobody
> 
> and here's a bad one:
> 
>   deny message = Classified as spam (score $spam_score)
>      spam = nobody

It's entirelly possible someone configured their system this way.  In 
fact, the examples shown in the 4.5 spec (documentation) don't include 
any size checks.  However, the examples from the exiscan website do. 
I'll make mention of this to Phillip on the Exim list and see if he'll 
update the spec examples.

- S