You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by David Touzeau <da...@touzeau.eu> on 2011/04/09 02:43:43 UTC
increase score according message size
Dear
I would like to increase score according the message size.
Instead blocking it by the MTA i would like spamassassin define it has
SPAM if it reach a defined value...
Best regeads
Re: increase score according message size
Posted by John Hardin <jh...@impsec.org>.
On Mon, 11 Apr 2011, David Touzeau wrote:
>> It's possible your MTA inserts a Content-Length: header before SA sees the
>> message. If so, then checking it is fairly trivial. Try to determine
>> whether your MTA does this.
>>
>> If not, SA does not currently (that I can find) expose the raw size of the
>> message to rules. Having it generate an X-Content-Length: pseudoheader
>> probably wouldn't be too difficult.
>>
>> For now, trivially, you can do something like this:
>>
>> header __HDR_BYTES ALL =~ /./
>> tflags __HDR_BYTES multiple
>> rawbody __BODY_BYTES /./
>> tflags __BODY_BYTES multiple
>> meta SZ_GT_200K (__HDR_BYTES + __BODY_BYTES) > 200000
>>
>> ...but that will probably do Bad Things to your performance.
>
> Many thanks !!!
>
> I will do tests in this way !
I _strongly_ suggest you see whether your MTA can be configured to add a
Content-Length: header before trying those rules.
Also, they were off the top of my head, and untested.
Best of luck. :)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Public Education: the bureaucratic process of replacing
an empty mind with a closed one. -- Thorax
-----------------------------------------------------------------------
3 days until Thomas Jefferson's 268th Birthday
Re: increase score according message size
Posted by David Touzeau <da...@touzeau.eu>.
Le samedi 09 avril 2011 à 15:04 -0700, John Hardin a écrit :
> On Sat, 9 Apr 2011, David Touzeau wrote:
>
> > Le samedi 09 avril 2011 à 08:59 -0700, John Hardin a écrit :
> >> On Sat, 9 Apr 2011, Benny Pedersen wrote:
> >>
> >>>> This to manage a quarantine area.
> >>>> Rejecting the message cause troubles according VIPs that needs to
> >>>> receive some attached files.
> >
> > So i would like to know if there is way or someone trying to set
> > Spamassassin to increase score against message size.
>
> Including or excluding headers? Including or excluding attachments?
>
> Bear in mind that spamc enforces a maximum message size limit, spamd won't
> even _see_ messages larger than that size. Are you going to crank that
> size limit up?
>
> Do you really want to spend the resources scanning messages larger than
> that limit?
>
> It's possible your MTA inserts a Content-Length: header before SA sees the
> message. If so, then checking it is fairly trivial. Try to determine
> whether your MTA does this.
>
> If not, SA does not currently (that I can find) expose the raw size of the
> message to rules. Having it generate an X-Content-Length: pseudoheader
> probably wouldn't be too difficult.
>
> For now, trivially, you can do something like this:
>
> header __HDR_BYTES ALL =~ /./
> tflags __HDR_BYTES multiple
> rawbody __BODY_BYTES /./
> tflags __BODY_BYTES multiple
> meta SZ_GT_200K (__HDR_BYTES + __BODY_BYTES) > 200000
>
> ...but that will probably do Bad Things to your performance.
>
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> People seem to have this obsession with objects and tools as being
> dangerous in and of themselves, as though a weapon will act of its
> own accord to cause harm. A weapon is just a force multiplier. It's
> *humans* that are (or are not) dangerous.
> -----------------------------------------------------------------------
> 4 days until Thomas Jefferson's 268th Birthday
Many thanks !!!
I will do tests in this way !
Re: increase score according message size
Posted by John Hardin <jh...@impsec.org>.
On Sat, 9 Apr 2011, David Touzeau wrote:
> Le samedi 09 avril 2011 à 08:59 -0700, John Hardin a écrit :
>> On Sat, 9 Apr 2011, Benny Pedersen wrote:
>>
>>>> This to manage a quarantine area.
>>>> Rejecting the message cause troubles according VIPs that needs to
>>>> receive some attached files.
>
> So i would like to know if there is way or someone trying to set
> Spamassassin to increase score against message size.
Including or excluding headers? Including or excluding attachments?
Bear in mind that spamc enforces a maximum message size limit, spamd won't
even _see_ messages larger than that size. Are you going to crank that
size limit up?
Do you really want to spend the resources scanning messages larger than
that limit?
It's possible your MTA inserts a Content-Length: header before SA sees the
message. If so, then checking it is fairly trivial. Try to determine
whether your MTA does this.
If not, SA does not currently (that I can find) expose the raw size of the
message to rules. Having it generate an X-Content-Length: pseudoheader
probably wouldn't be too difficult.
For now, trivially, you can do something like this:
header __HDR_BYTES ALL =~ /./
tflags __HDR_BYTES multiple
rawbody __BODY_BYTES /./
tflags __BODY_BYTES multiple
meta SZ_GT_200K (__HDR_BYTES + __BODY_BYTES) > 200000
...but that will probably do Bad Things to your performance.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
People seem to have this obsession with objects and tools as being
dangerous in and of themselves, as though a weapon will act of its
own accord to cause harm. A weapon is just a force multiplier. It's
*humans* that are (or are not) dangerous.
-----------------------------------------------------------------------
4 days until Thomas Jefferson's 268th Birthday
Re: increase score according message size
Posted by RW <rw...@googlemail.com>.
On Sat, 09 Apr 2011 21:10:39 +0200
David Touzeau <da...@touzeau.eu> wrote:
> "Linux community is very good and answering very fast... This is very
> good...
> But there is only one trouble... When needs to "judge" about a
> technical issue or try to find a "political" answer, we polluate the
> discuss mail archives"
>
> When someone needs to find answers on the same question... it read
> these non-technical posts that is not really interesting...
> And it loose time.
Personally I don't want to find a straight technical answer if I'm not
asking a sensible question.
If you have good reasons for doing something that superficially sounds
like a bad idea, you should mention them if you wish to get a straight
answer.
Re: increase score according message size
Posted by David Touzeau <da...@touzeau.eu>.
Le samedi 09 avril 2011 à 08:59 -0700, John Hardin a écrit :
> On Sat, 9 Apr 2011, Benny Pedersen wrote:
>
> >> This to manage a quarantine area.
> >> Rejecting the message cause troubles according VIPs that needs to
> >> receive some attached files.
> >
> > email is not a p2p service, install a bittorrent tracker, and make it
> > authed to emails sasl users, now the fun starts :)
>
> A CEO reacts rather poorly to being told "email is _not_ a general purpose
> file transfer utility." BTDT.
>
Hum... I know that... But this is my query..
"Linux community is very good and answering very fast... This is very
good...
But there is only one trouble... When needs to "judge" about a technical
issue or try to find a "political" answer, we polluate the discuss mail
archives"
When someone needs to find answers on the same question... it read these
non-technical posts that is not really interesting...
And it loose time.
So i would like to know if there is way or someone trying to set
Spamassassin to increase score against message size.
If there is not a "technical" way, just specify it in order to close the
topic
Best regards
Re: increase score according message size
Posted by John Hardin <jh...@impsec.org>.
On Sat, 9 Apr 2011, Benny Pedersen wrote:
>> This to manage a quarantine area.
>> Rejecting the message cause troubles according VIPs that needs to
>> receive some attached files.
>
> email is not a p2p service, install a bittorrent tracker, and make it
> authed to emails sasl users, now the fun starts :)
A CEO reacts rather poorly to being told "email is _not_ a general purpose
file transfer utility." BTDT.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
My sidearm is a piece of emergency equipment. It absolutely must
be reliable, not "smart".
-----------------------------------------------------------------------
4 days until Thomas Jefferson's 268th Birthday
Re: increase score according message size
Posted by Benny Pedersen <me...@junc.org>.
> This to manage a quarantine area.
> Rejecting the message cause troubles according VIPs that needs to
> receive some attached files.
email is not a p2p service, install a bittorrent tracker, and make it
authed to emails sasl users, now the fun starts :)
Re: increase score according message size
Posted by David Touzeau <da...@touzeau.eu>.
Le samedi 09 avril 2011 à 02:49 +0200, Mikael Syska a écrit :
> Hi,
>
> On Sat, Apr 9, 2011 at 2:43 AM, David Touzeau <da...@touzeau.eu> wrote:
> > Dear
> >
> > I would like to increase score according the message size.
> > Instead blocking it by the MTA i would like spamassassin define it has SPAM
> > if it reach a defined value...
>
> Why not just reject the mail if its over x MB at the MTA level? Then
> legit senders would still get a mesesage why there mail was rejected.
> Just discarding large mails seems to me like a very bad discision.
>
> >
> > Best regeads
>
> mvh
> Mikael Syska
This to manage a quarantine area.
Rejecting the message cause troubles according VIPs that needs to
receive some attached files.
Re: increase score according message size
Posted by Mikael Syska <mi...@syska.dk>.
Hi,
On Sat, Apr 9, 2011 at 2:43 AM, David Touzeau <da...@touzeau.eu> wrote:
> Dear
>
> I would like to increase score according the message size.
> Instead blocking it by the MTA i would like spamassassin define it has SPAM
> if it reach a defined value...
Why not just reject the mail if its over x MB at the MTA level? Then
legit senders would still get a mesesage why there mail was rejected.
Just discarding large mails seems to me like a very bad discision.
>
> Best regeads
mvh
Mikael Syska