You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by a....@ukgrid.net on 2010/10/25 18:31:33 UTC
spamc not scanning file, spamassassin command ok
Hi all,
a couple of spam email messages got passed our spamassassin scanner
today, and on investigation I found some odd behaviour. Our mail
system scans via a pipe using the following command
"/usr/local/bin/spamc -u mailnull". If I cat the spam mail file in
question by doing a cat and pipe into this command it instantly
returns the message unmodified. If I test another email message, it
scans it for a few seconds then outputs the modified mail with updated
header showing spam score.
I also tested running the spamassassin command on the mail which is
getting passed, this correctly marks the mail as spam.
The dodgy email contains an attachment, if I make a copy of the mail
file and delete the email attachment and then scan via scanc it IS
correctly processed and marked as spam. The file with attachment is
only 600K so I dont see why this should cause a problem.
Any idea what would cause this behaviour?
thanks in advance, Andy.
Re: spamc not scanning file, spamassassin command ok
Posted by a....@ukgrid.net.
Quoting John Hardin <jh...@impsec.org>:
> Yes, the default size limit on messages that spamc enforces is less
> than 600k.
>
> If you want to scan larger messages you must override that default.
> Please see the list archives for the pros and cons.
Ah ok! Thanks! Think I can up it to at least 1Mb based on CPU usage Im
seeing...
cheers Andy.
Re: spamc not scanning file, spamassassin command ok
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
> In case its of interested to the list, the spam in question gets very
> high spamassassin rating of 15.3 but was passing by the scanner on the
> size limit. The attachment is a JPG of 600k which is a scan of a scam
600k JPEG? That'd be about 800k base64 encoded.
> letter about bank transfers etc with south africa. It does not seem to
> contain any virus (shows as clean with Clam AV and Microsoft SE) so
> inst blocked on this.
> Looks a bit like they stuck the JPG in just to get past this type of
> spam scan size limit...
Frankly, I don't think it is deliberately to get past the threshold.
I've been observing a recent casino spam run, featuring an all-shiny
HTML message almost exclusively assembled by images. A few of them
exceeded my threshold. Most don't. Which makes it appear more like an
accidental evasion.
Regarding your specific sample -- well, honestly, I don't think the
average 419 scammer is even smart enough to worry about a threshold. Too
often they even screw up the copy-n-paste, not to mention all the
horrible, brain-hurting things I've seen reviewing the scam corpus.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: spamc not scanning file, spamassassin command ok
Posted by a....@ukgrid.net.
Quoting Karsten Bräckelmann <gu...@rudersport.de>:
>
> That would specifically include my name, I guess. ;) Good additional
> search terms would include size, limit, threshold and of course spamc.
> Time range should be the last couple months, maybe half a year.
>
> Since this topic appears to come up more often recently, maybe I should
> spend some time on re-writing all the stuff in a few list posts into a
> single page on our wiki. *sigh*
>
In case its of interested to the list, the spam in question gets very
high spamassassin rating of 15.3 but was passing by the scanner on the
size limit. The attachment is a JPG of 600k which is a scan of a scam
letter about bank transfers etc with south africa. It does not seem to
contain any virus (shows as clean with Clam AV and Microsoft SE) so
inst blocked on this.
Looks a bit like they stuck the JPG in just to get past this type of
spam scan size limit...
ta Andy.
Re: spamc not scanning file, spamassassin command ok
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Mon, 2010-10-25 at 09:47 -0700, John Hardin wrote:
> On Mon, 25 Oct 2010, a.smith@ukgrid.net wrote:
>
> > The dodgy email contains an attachment, if I make a copy of the mail
> > file and delete the email attachment and then scan via scanc it IS
> > correctly processed and marked as spam. The file with attachment is only
> > 600K so I dont see why this should cause a problem.
Please see 'man spamc'.
> > Any idea what would cause this behaviour?
>
> Yes, the default size limit on messages that spamc enforces is less than
> 600k.
>
> If you want to scan larger messages you must override that default. Please
> see the list archives for the pros and cons.
That would specifically include my name, I guess. ;) Good additional
search terms would include size, limit, threshold and of course spamc.
Time range should be the last couple months, maybe half a year.
Since this topic appears to come up more often recently, maybe I should
spend some time on re-writing all the stuff in a few list posts into a
single page on our wiki. *sigh*
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: spamc not scanning file, spamassassin command ok
Posted by John Hardin <jh...@impsec.org>.
On Mon, 25 Oct 2010, a.smith@ukgrid.net wrote:
> The dodgy email contains an attachment, if I make a copy of the mail
> file and delete the email attachment and then scan via scanc it IS
> correctly processed and marked as spam. The file with attachment is only
> 600K so I dont see why this should cause a problem.
>
> Any idea what would cause this behaviour?
Yes, the default size limit on messages that spamc enforces is less than
600k.
If you want to scan larger messages you must override that default. Please
see the list archives for the pros and cons.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If "healthcare is a Right" means that the government is obligated
to provide the people with hospitals, physicians, treatments and
medications at low or no cost, then the right to free speech means
the government is obligated to provide the people with printing
presses and public address systems, the right to freedom of
religion means the government is obligated to build churches for the
people, and the right to keep and bear arms means the government is
obligated to provide the people with guns, all at low or no cost.
-----------------------------------------------------------------------
53 days until TRON Legacy