You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Charles Gregory <cg...@hwcn.org> on 2009/09/03 17:20:23 UTC
Larg PDF Spam
I'm seeing a set of spam, with some very regular easily trapped
text in their headers/body, but with large PDF files that push
the size of the mail outside the 256K limit for running SA.
Anyone have any experience raising that limit? How high can we
go before it really starts to impact performance? I realize
this question contains the big variable of 'how good is my CPU?',
but I figure there might be a 'trip point' for SA, like when a message
gets larger than 25% of physical memory on the box, or some other simple
guideline like that?
- Charles
Re: Larg PDF Spam
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2009-09-03 at 11:20 -0400, Charles Gregory wrote:
> I'm seeing a set of spam, with some very regular easily trapped
> text in their headers/body, but with large PDF files that push
> the size of the mail outside the 256K limit for running SA.
That's your limit. ;) The default for spamc is 500 KByte, at the very
least with all 3.2.x versions. That's more than 2 years.
> Anyone have any experience raising that limit? How high can we
> go before it really starts to impact performance? I realize
> this question contains the big variable of 'how good is my CPU?', [...]
Well, it scales worse than linear -- but that is *only* for the messages
larger than your current threshold. That means those that are currently
not scanned, no impact on the bulk that is smaller anyway.
Also, *most* (not all, mind you) rules only apply to the text parts. So
a PDF won't be scanned by them anyway. Some few raw rules would.
My advice would be to just try it -- at least up to the spamc size
threshold default. After that I'd try increasing slowly and watch
closely.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Larg PDF Spam
Posted by John Hardin <jh...@impsec.org>.
On Thu, 3 Sep 2009, Charles Gregory wrote:
> I'm seeing a set of spam, with some very regular easily trapped text in
> their headers/body, but with large PDF files that push the size of the
> mail outside the 256K limit for running SA.
>
> Anyone have any experience raising that limit? How high can we go before
> it really starts to impact performance? I realize this question contains
> the big variable of 'how good is my CPU?', but I figure there might be a
> 'trip point' for SA, like when a message gets larger than 25% of
> physical memory on the box, or some other simple guideline like that?
I run it at 400k on a VM with 256MB RAM and haven't seen problems. But
then, my email volume is quite low and I have zen and HELO FQDN checks at
SMTP time, which cut the majority of the garbage coming in.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Microsoft is not a standards body.
-----------------------------------------------------------------------
14 days until the 222nd anniversary of the signing of the U.S. Constitution