You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Gnanam <gn...@zoniac.com> on 2010/07/21 07:16:29 UTC
Does SpamAssassin perform tests/scans on attachments?
Hi,
Does SpamAssassin perform tests/scans on attachments?
NOTE: I'm using "spamc (client for spamd)" to get only the spam score of the
email message. The email message passed to spamc is assembled/prepared on
my own, which is in concert with RFC 822, produced by my web application,
which means that this email message is not received/relayed via SMTP
My original use case is explained here:
http://old.nabble.com/SpamAssassin-Integration-ts28903365.html
Regards,
Gnanam
--
View this message in context: http://old.nabble.com/Does-SpamAssassin-perform-tests-scans-on-attachments--tp29222058p29222058.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On 7/20/2010 10:16 PM, Gnanam wrote:
>> Does SpamAssassin perform tests/scans on attachments?
On 20.07.10 22:31, Ted Mittelstaedt wrote:
> Generally, no. SA skips messages that are larger than a size that you
> set in the config file. Most attachments are larger than that size.
> Obviously if you have a really small attachment then it will scan it.
>
> The principle of spamming basically is dependent on small messages.
> With small messages you can send scads of them. With large ones you
> would take too long.
well, I have seen spams (buil, unsolicited) containing large attachments -
jpg, doc, pdf... While they are not common (you have described the
reason), but they are still annoying, and they are spam (many of them is
from stupid marketing companies or idiots who believe their activities are
something that most of people should know about).
So, there are reasons why we SA might scan them. Of course, SA can scan only
text parts, but luckily there are plugins that may convert between different
formats, e.g. FuzzyOCR who tries to read images and/or ExtractText that
tried to extract text from other formats to get scanned by SA.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2010-07-21 at 00:08 -0700, Daniel Lemke wrote:
> Ted Mittelstaedt wrote:
> > > How does SA scan binary attachments like .doc, .docx, .rtf, .xls, .zip,
> > > etc. in that case?
> >
> > It doesn't.
*nod*
> > At least, not like what you are thinking.
> > As you know an encoded attachment is a series of lines like:
> >
> > XXHUBKJVHLSJFWSJNDL:SANFKJHSBFSLJRWKSBF
> > DSKJNBFSHNF:LSJFLKSNFLKJSBFLK:SNFLKSNFS
> > FJSHBFLKSHNFLKNSFL:SF:LSNFLKSNFLK:SNFL:
> > KFSLKHFDSHNFKDNFLDKNFLKDNFLKJHDBIAVFBUB
> >
> > SA scans that. Of course, there is nothing there that matches
> > anything.
Nope, this is not how SA works in the general case.
As Henrik mentioned in an other sub-thread, this is correct only for the
rarely used 'full' rules. And in that case, applies to encoded text
parts just the same.
The most common rules are applied only to the (decoded) textual parts of
a message, and usually even a rendered, normalized version.
> Well in that case, I revoke my adoption regarding the mime types ;)
Don't. ;)
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by Daniel Lemke <le...@jam-software.com>.
Ted Mittelstaedt-2 wrote:
>
>
>
> On 7/20/2010 10:46 PM, Gnanam wrote:
>>
>>
>> Ted Mittelstaedt-2 wrote:
>>>
>>> Generally, no. SA skips messages that are larger than a size that you
>>> set in the config file. Most attachments are larger than that size.
>>> Obviously if you have a really small attachment then it will scan it.
>>
>> Thanks for that update.
>>
>> Assuming my use case need to do test/scan on attachments as well, thereby
>> I
>> set a large size in the config file, say 5 MB for example. I also
>> understand that it will take few more seconds to test/scan.
>>
>> How does SA scan binary attachments like .doc, .docx, .rtf, .xls, .zip,
>> etc.
>> in that case?
>>
>
> It doesn't. At least, not like what you are thinking.
>
> As you know an encoded attachment is a series of lines like:
>
> XXHUBKJVHLSJFWSJNDL:SANFKJHSBFSLJRWKSBF
> DSKJNBFSHNF:LSJFLKSNFLKJSBFLK:SNFLKSNFS
> FJSHBFLKSHNFLKNSFL:SF:LSNFLKSNFLK:SNFL:
> KFSLKHFDSHNFKDNFLDKNFLKDNFLKJHDBIAVFBUB
>
> SA scans that. Of course, there is nothing there that matches
> anything.
>
> Your thinking SA works like for example clamav. clamav takes the
> attachments, mimedecodes them, then unzips them (or unrars them
> or whatever) then scans the decoded, extracted, result. SA does not
> do this.
>
> This is why spammers tried hiding spams in graphic images. (URLs
> and such) Of course, since it was a URL in a graphic image there
> wasn't anything for the dumb users to click on that would send them
> off to some compromised website. So even the stupidest spammers
> finally figured out that that trick, while bypassing SA, also
> made the spams equally unusable to the victims they were trying
> to nail.
>
Well in that case, I revoke my adoption regarding the mime types ;)
But what's the meaning of scanning attachments then at all?
Daniel
--
View this message in context: http://old.nabble.com/Does-SpamAssassin-perform-tests-scans-on-attachments--tp29222058p29222545.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by John Hardin <jh...@impsec.org>.
On Wed, 21 Jul 2010, Karsten Br�ckelmann wrote:
> 'body' rules are applied against the textual parts [1], decoded from
> Quoted Printable or Base 64 if necessary, rendered and normalized.
>
> [1] Textual parts depends on the MIME type, not content.
...which is why application/octet-stream "spam.txt" allows obvious
spam to bypass SA.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If "healthcare is a Right" means that the government is obligated
to provide the people with hospitals, physicians, treatments and
medications at low or no cost, then the right to free speech means
the government is obligated to provide the people with printing
presses and public address systems, the right to freedom of
religion means the government is obligated to build churches for the
people, and the right to keep and bear arms means the government is
obligated to provide the people with guns, all at low or no cost.
-----------------------------------------------------------------------
Today: the 41st anniversary of Man's first steps on the Moon
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by Ted Mittelstaedt <te...@ipinc.net>.
On 7/21/2010 10:03 AM, Adam Moffett wrote:
> On 7/21/2010 12:45 PM, Karsten Bräckelmann wrote:
>> On Wed, 2010-07-21 at 12:25 -0400, Adam Moffett wrote:
>>> I've seen people post in the past that SA will demime text attachments,
>>> and now someone says it won't.
>> Ted was answering a question about binary attachments, not text.
>>
>>> What's the real story?
>> It depends. On the rule definition, as explained in the M::SA::Conf
>> docs.
>>
>> 'body' rules are applied against the textual parts [1], decoded from
>> Quoted Printable or Base 64 if necessary, rendered and normalized.
>>
>> 'rawbody' is like the above, but without rendering and normalization.
>> That means, HTML tags and whitespace is preserved as-is.
>>
>> 'full' rules are applied against the raw, pristine, verbatim original
>> message, as fed to SA.
>>
>>
>> [1] Textual parts depends on the MIME type, not content.
>>
> So the answer is all of the above :) Thanks.
Unfortunately, some mail clients seem to think that it's an "advance"
to take perfectly normal ASCII text and encode it into some gibberish
rubbish and then send the rubbish as perfectly normal ASCII text.
Thank you Steve Jobs.
Good catch from Karsten, I had forgotten that not just binaries
can be encoded into text. Text can be encoded into text. (eyeroll)
Ted
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by Adam Moffett <ad...@plexicomm.net>.
On 7/21/2010 12:45 PM, Karsten Bräckelmann wrote:
> On Wed, 2010-07-21 at 12:25 -0400, Adam Moffett wrote:
>
>> I've seen people post in the past that SA will demime text attachments,
>> and now someone says it won't.
>>
> Ted was answering a question about binary attachments, not text.
>
>
>> What's the real story?
>>
> It depends. On the rule definition, as explained in the M::SA::Conf
> docs.
>
> 'body' rules are applied against the textual parts [1], decoded from
> Quoted Printable or Base 64 if necessary, rendered and normalized.
>
> 'rawbody' is like the above, but without rendering and normalization.
> That means, HTML tags and whitespace is preserved as-is.
>
> 'full' rules are applied against the raw, pristine, verbatim original
> message, as fed to SA.
>
>
> [1] Textual parts depends on the MIME type, not content.
>
>
So the answer is all of the above :) Thanks.
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Wed, 21 Jul 2010, Karsten Bräckelmann wrote:
> On Wed, 2010-07-21 at 12:25 -0400, Adam Moffett wrote:
> > I've seen people post in the past that SA will demime text attachments,
> > and now someone says it won't.
>
> Ted was answering a question about binary attachments, not text.
>
> > What's the real story?
>
> It depends. On the rule definition, as explained in the M::SA::Conf
> docs.
[snip..]
It further depends upon whether a given SA installation has 3rd
party plugins. There are plugins that add new tests for various kinds
of attachements.
EG:
ImageInfo & FuzzyOcr add tests for image attachments.
There are plugins which attempt to extract text from DOC, RTF, & PDF
attachments.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2010-07-21 at 12:25 -0400, Adam Moffett wrote:
> I've seen people post in the past that SA will demime text attachments,
> and now someone says it won't.
Ted was answering a question about binary attachments, not text.
> What's the real story?
It depends. On the rule definition, as explained in the M::SA::Conf
docs.
'body' rules are applied against the textual parts [1], decoded from
Quoted Printable or Base 64 if necessary, rendered and normalized.
'rawbody' is like the above, but without rendering and normalization.
That means, HTML tags and whitespace is preserved as-is.
'full' rules are applied against the raw, pristine, verbatim original
message, as fed to SA.
[1] Textual parts depends on the MIME type, not content.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by Adam Moffett <ad...@plexicomm.net>.
I've seen people post in the past that SA will demime text attachments,
and now someone says it won't.
What's the real story?
>
>> It doesn't. At least, not like what you are thinking.
>>
>> As you know an encoded attachment is a series of lines like:
>>
>> XXHUBKJVHLSJFWSJNDL:SANFKJHSBFSLJRWKSBF
>> DSKJNBFSHNF:LSJFLKSNFLKJSBFLK:SNFLKSNFS
>> FJSHBFLKSHNFLKNSFL:SF:LSNFLKSNFLK:SNFL:
>> KFSLKHFDSHNFKDNFLDKNFLKDNFLKJHDBIAVFBUB
>>
>> SA scans that. Of course, there is nothing there that matches
>> anything.
>
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by Ted Mittelstaedt <te...@ipinc.net>.
On 7/20/2010 10:46 PM, Gnanam wrote:
>
>
> Ted Mittelstaedt-2 wrote:
>>
>> Generally, no. SA skips messages that are larger than a size that you
>> set in the config file. Most attachments are larger than that size.
>> Obviously if you have a really small attachment then it will scan it.
>
> Thanks for that update.
>
> Assuming my use case need to do test/scan on attachments as well, thereby I
> set a large size in the config file, say 5 MB for example. I also
> understand that it will take few more seconds to test/scan.
>
> How does SA scan binary attachments like .doc, .docx, .rtf, .xls, .zip, etc.
> in that case?
>
It doesn't. At least, not like what you are thinking.
As you know an encoded attachment is a series of lines like:
XXHUBKJVHLSJFWSJNDL:SANFKJHSBFSLJRWKSBF
DSKJNBFSHNF:LSJFLKSNFLKJSBFLK:SNFLKSNFS
FJSHBFLKSHNFLKNSFL:SF:LSNFLKSNFLK:SNFL:
KFSLKHFDSHNFKDNFLDKNFLKDNFLKJHDBIAVFBUB
SA scans that. Of course, there is nothing there that matches
anything.
Your thinking SA works like for example clamav. clamav takes the
attachments, mimedecodes them, then unzips them (or unrars them
or whatever) then scans the decoded, extracted, result. SA does not
do this.
This is why spammers tried hiding spams in graphic images. (URLs
and such) Of course, since it was a URL in a graphic image there
wasn't anything for the dumb users to click on that would send them
off to some compromised website. So even the stupidest spammers
finally figured out that that trick, while bypassing SA, also
made the spams equally unusable to the victims they were trying
to nail.
Ted
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by Henrik K <he...@hege.li>.
On Thu, Jul 22, 2010 at 01:27:57AM -0700, Daniel Lemke wrote:
>
>
> Henrik K wrote:
> >
> > But make sure you have SA 3.3, you should use the time_limit [2] local.cf
> > option. If you have latest SA and there are rules which "hang", you should
> > identify them (can't remember the easiest way right now) and maybe post a
> > bug.
> >
> > [1] http://www.gossamer-threads.com/lists/spamassassin/users/151763
> > [2]
> > http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html
> >
> >
> >
>
>
> Hmm, is it possible that time_limit effectively doesn't stop SpamAssassin
> from parsing the regexes? I set it to 5 seconds for testing purposes and fed
> it with a text mail. Scantime was over a minute and no time_limit_exceeded
> reported in the report.
Yep seems so..
"Note that $SIG{ALRM} is used to provide the timeout, so this will not
interrupt out-of-control regular expression matches."
Works even less since most of the rules are priority 0 and there is one hard
check per priority..
PS. Maybe newer Perl version could help a little?
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by Daniel Lemke <le...@jam-software.com>.
Henrik K wrote:
>
> But make sure you have SA 3.3, you should use the time_limit [2] local.cf
> option. If you have latest SA and there are rules which "hang", you should
> identify them (can't remember the easiest way right now) and maybe post a
> bug.
>
> [1] http://www.gossamer-threads.com/lists/spamassassin/users/151763
> [2]
> http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html
>
>
>
Hmm, is it possible that time_limit effectively doesn't stop SpamAssassin
from parsing the regexes? I set it to 5 seconds for testing purposes and fed
it with a text mail. Scantime was over a minute and no time_limit_exceeded
reported in the report.
Daniel
--
View this message in context: http://old.nabble.com/Does-SpamAssassin-perform-tests-scans-on-attachments--tp29222058p29234399.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by Daniel Lemke <le...@jam-software.com>.
Henrik K wrote:
>
> But make sure you have SA 3.3, you should use the time_limit [2] local.cf
> option. If you have latest SA and there are rules which "hang", you should
> identify them (can't remember the easiest way right now) and maybe post a
> bug.
>
There wasn't a rule that actually "hang", it were just the regexes that
consumed such a large amount of scantime because of the size of the mail.
I've had a look on the logs, only two (spam) mails out of 20.000 that had a
size of more than 250kb, so I'm ok with that limit now :)
Daniel
--
View this message in context: http://old.nabble.com/Does-SpamAssassin-perform-tests-scans-on-attachments--tp29222058p29223319.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by Henrik K <he...@hege.li>.
On Tue, Jul 20, 2010 at 11:55:58PM -0700, Daniel Lemke wrote:
>
> As far as I know SpamAssassin looks for the mime type of the message, if
> it's text/xyz it will perform a scan. Be careful in pushing the message size
> limit! As said before, it doesn't make sense to set it to such a large
> value, as spammers WILL NOT send spam messages of that size (it's just to
> expensive in terms of hardware/traffic).
Yes only textual parts are scanned. Exception is the rare "full" rule which
looks at pristine un-decoded message as whole.
> To hijack the thread: Does anyone know an optimum for message size limit?
> Ours is set to 2MB at the moment, but we have problems when receiving large
> text mails (e.g. more than 1MB) as the message check will become REALLY time
> consuming. This leads to a curious situation where our Exchange (or maybe
> it's the external mail server, not sure of that) sends the message again
> after ~55 seconds, so the next child begins checking the mail... And there
> we've got a loop (until the server runs out of memory)...
One option is using amavisd-new which truncates big messages and only let's
SA see the xxx first bytes of message. [1]
Other option is just letting ClamAV+Sanesecurity etc signatures handle the
big messages.
But make sure you have SA 3.3, you should use the time_limit [2] local.cf
option. If you have latest SA and there are rules which "hang", you should
identify them (can't remember the easiest way right now) and maybe post a
bug.
[1] http://www.gossamer-threads.com/lists/spamassassin/users/151763
[2] http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by Daniel Lemke <le...@jam-software.com>.
Karsten Bräckelmann-2 wrote:
>
> On Wed, 2010-07-21 at 01:12 -0700, Ted Mittelstaedt wrote:
>> On 7/20/2010 11:55 PM, Daniel Lemke wrote:
>
>> > To hijack the thread: Does anyone know an optimum for message size
>> limit?
>> > Ours is set to 2MB at the moment, but we have problems when receiving
>> large
>> > text mails (e.g. more than 1MB) as the message check will become REALLY
>> time
>> > consuming. This leads to a curious situation where our Exchange (or
>> maybe
>> > it's the external mail server, not sure of that) sends the message
>> again
>> > after ~55 seconds, so the next child begins checking the mail... And
>> there
>> > we've got a loop (until the server runs out of memory)...
>
> So *why* does Exchange re-try after less than a minute?
>
>> > I set the --timeout-child of spamd to 45 secs now, what's working as a
>> > workaround for now, but there may exist a more solid solution, is that
>> > correct?
>
> That's a rather low timeout-child value. And it isn't clear if that 45
> secs is a raised or lowered timeout, compared to what you had before.
>
> If it was even lower before, then that seems to be the issue. And might
> even explain the impatient Exchange. If, however, it was higher before,
> and you lowered it to timeout faster than Exchange forcefully re-trying
> a mail that's still being processed -- you should look after Exchange.
>
It was higher before, so yes, it's just a dirty workaround to prevent this
curious loop situation. However, I guess it's not an issue with our
Exchange, but with our glue (which implements the SpamAssassin protocol and
some other extensions) between Exchange and SpamAssassin. But with the
lowered message size limit, I hope to avoid this situation anyway.
However, I like that concept of amavisd-new, only passing only a specific
amount of bytes to SpamAssassin. Shouldn't be a big deal to implement
something similiar on our glue.
Daniel
--
View this message in context: http://old.nabble.com/Does-SpamAssassin-perform-tests-scans-on-attachments--tp29222058p29234031.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2010-07-21 at 01:12 -0700, Ted Mittelstaedt wrote:
> On 7/20/2010 11:55 PM, Daniel Lemke wrote:
> > To hijack the thread: Does anyone know an optimum for message size limit?
> > Ours is set to 2MB at the moment, but we have problems when receiving large
> > text mails (e.g. more than 1MB) as the message check will become REALLY time
> > consuming. This leads to a curious situation where our Exchange (or maybe
> > it's the external mail server, not sure of that) sends the message again
> > after ~55 seconds, so the next child begins checking the mail... And there
> > we've got a loop (until the server runs out of memory)...
So *why* does Exchange re-try after less than a minute?
> > I set the --timeout-child of spamd to 45 secs now, what's working as a
> > workaround for now, but there may exist a more solid solution, is that
> > correct?
That's a rather low timeout-child value. And it isn't clear if that 45
secs is a raised or lowered timeout, compared to what you had before.
If it was even lower before, then that seems to be the issue. And might
even explain the impatient Exchange. If, however, it was higher before,
and you lowered it to timeout faster than Exchange forcefully re-trying
a mail that's still being processed -- you should look after Exchange.
FWIW, the default is 300 secs. And yes, processing might occasionally
take longer than 55 secs.
> We use the stock default which is 250k and it's fine. I would not go
The default is 500 kB. Has been for a while now.
> over 1M, frankly. Consider that in the time a spammer can send a 2MB
> spam, they can send 64 64k messages, and even 64k is a huge bit of text
> to get your hair tonic message across. A single typed page is
> around 4k.
Just a gut feeling, but I probably wouldn't raise the threshold above
1M, either. Mostly using the default. I have seen spam larger than 500k,
and even larger than 1M, but these are rare.
Ultimately, it also depends on your mail flow, as your description shows
eloquently. If your ham > 500k usually means a binary attachment, you
hardly will notice any difference. But if you frequently receive ham
with large text parts, CPU intensive processing time is likely to go up.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by Ted Mittelstaedt <te...@ipinc.net>.
On 7/20/2010 11:55 PM, Daniel Lemke wrote:
>
>
> Gnanam wrote:
>>
>>
>> Ted Mittelstaedt-2 wrote:
>>>
>>> Generally, no. SA skips messages that are larger than a size that you
>>> set in the config file. Most attachments are larger than that size.
>>> Obviously if you have a really small attachment then it will scan it.
>>
>> Thanks for that update.
>>
>> Assuming my use case need to do test/scan on attachments as well, thereby
>> I set a large size in the config file, say 5 MB for example. I also
>> understand that it will take few more seconds to test/scan.
>>
>> How does SA scan binary attachments like .doc, .docx, .rtf, .xls, .zip,
>> etc. in that case?
>>
>
> As far as I know SpamAssassin looks for the mime type of the message, if
> it's text/xyz it will perform a scan. Be careful in pushing the message size
> limit! As said before, it doesn't make sense to set it to such a large
> value, as spammers WILL NOT send spam messages of that size (it's just to
> expensive in terms of hardware/traffic).
>
> To hijack the thread: Does anyone know an optimum for message size limit?
> Ours is set to 2MB at the moment, but we have problems when receiving large
> text mails (e.g. more than 1MB) as the message check will become REALLY time
> consuming. This leads to a curious situation where our Exchange (or maybe
> it's the external mail server, not sure of that) sends the message again
> after ~55 seconds, so the next child begins checking the mail... And there
> we've got a loop (until the server runs out of memory)...
>
> I set the --timeout-child of spamd to 45 secs now, what's working as a
> workaround for now, but there may exist a more solid solution, is that
> correct?
>
We use the stock default which is 250k and it's fine. I would not go
over 1M, frankly. Consider that in the time a spammer can send a 2MB
spam, they can send 64 64k messages, and even 64k is a huge bit of text
to get your hair tonic message across. A single typed page is
around 4k.
Keep in mind the larger the size of the spam message the more material
that there is for a content filter to chew on. A 250k message is going
to have so many repetitions of "pecker" and "bottomless fagina" and
god-knows what else in it, that it makes it easy-pickings for a content
filter like SA to match all sorts of stuff in there.
I know that I probably sound like a broken record but if you run log
analysis of your mailserver you will get a breakdown of sizes. Please,
go here:
http://www.klake.org/sma/
download, install, you get a pretty report like this:
http://www.klake.org/sma/example.html
get your average message size out of there and off you go. Ours is
around 50K
There are other, better, analysis packages out there but that ought
to get you started.
Ted
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by Daniel Lemke <le...@jam-software.com>.
Gnanam wrote:
>
>
> Ted Mittelstaedt-2 wrote:
>>
>> Generally, no. SA skips messages that are larger than a size that you
>> set in the config file. Most attachments are larger than that size.
>> Obviously if you have a really small attachment then it will scan it.
>
> Thanks for that update.
>
> Assuming my use case need to do test/scan on attachments as well, thereby
> I set a large size in the config file, say 5 MB for example. I also
> understand that it will take few more seconds to test/scan.
>
> How does SA scan binary attachments like .doc, .docx, .rtf, .xls, .zip,
> etc. in that case?
>
As far as I know SpamAssassin looks for the mime type of the message, if
it's text/xyz it will perform a scan. Be careful in pushing the message size
limit! As said before, it doesn't make sense to set it to such a large
value, as spammers WILL NOT send spam messages of that size (it's just to
expensive in terms of hardware/traffic).
To hijack the thread: Does anyone know an optimum for message size limit?
Ours is set to 2MB at the moment, but we have problems when receiving large
text mails (e.g. more than 1MB) as the message check will become REALLY time
consuming. This leads to a curious situation where our Exchange (or maybe
it's the external mail server, not sure of that) sends the message again
after ~55 seconds, so the next child begins checking the mail... And there
we've got a loop (until the server runs out of memory)...
I set the --timeout-child of spamd to 45 secs now, what's working as a
workaround for now, but there may exist a more solid solution, is that
correct?
Daniel
--
View this message in context: http://old.nabble.com/Does-SpamAssassin-perform-tests-scans-on-attachments--tp29222058p29222479.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by Gnanam <gn...@zoniac.com>.
Ted Mittelstaedt-2 wrote:
>
> Generally, no. SA skips messages that are larger than a size that you
> set in the config file. Most attachments are larger than that size.
> Obviously if you have a really small attachment then it will scan it.
Thanks for that update.
Assuming my use case need to do test/scan on attachments as well, thereby I
set a large size in the config file, say 5 MB for example. I also
understand that it will take few more seconds to test/scan.
How does SA scan binary attachments like .doc, .docx, .rtf, .xls, .zip, etc.
in that case?
--
View this message in context: http://old.nabble.com/Does-SpamAssassin-perform-tests-scans-on-attachments--tp29222058p29222150.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Does SpamAssassin perform tests/scans on attachments?
Posted by Ted Mittelstaedt <te...@ipinc.net>.
Generally, no. SA skips messages that are larger than a size that you
set in the config file. Most attachments are larger than that size.
Obviously if you have a really small attachment then it will scan it.
The principle of spamming basically is dependent on small messages.
With small messages you can send scads of them. With large ones you
would take too long.
Ted
On 7/20/2010 10:16 PM, Gnanam wrote:
>
> Hi,
>
> Does SpamAssassin perform tests/scans on attachments?
>
> NOTE: I'm using "spamc (client for spamd)" to get only the spam score of the
> email message. The email message passed to spamc is assembled/prepared on
> my own, which is in concert with RFC 822, produced by my web application,
> which means that this email message is not received/relayed via SMTP
>
> My original use case is explained here:
> http://old.nabble.com/SpamAssassin-Integration-ts28903365.html
>
> Regards,
> Gnanam
>