You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Drew Burchett <Dr...@united-systems.com> on 2008/03/12 14:37:58 UTC

Scanning without attachments

I've noticed a new trend in spam on my mail server that is getting by
SpamAssassin.  The spammer is creating his message and then attach a
couple of garbage PDFs to the email.  These PDFs make it too large for
SpamAssassin to scan the message, so it gets by the system.  I have
tried turning up the size so SpamAssassin will scan it, but it takes WAY
too long to scan a message.  Does anyone have any suggestions on how I
could catch/scan these messages without putting too much of a load on
SpamAssassin?

Drew Burchett
United Systems & Software
Ph:  (270)527-3293
Fax:  (270)527-3132



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Scanning without attachments

Posted by Randy Ramsdell <rr...@livedatagroup.com>.

Henrik K wrote:
> On Wed, Mar 12, 2008 at 11:16:32AM -0400, Randy Ramsdell wrote:
>   
>> Henrik K wrote:
>>     
>>> On Wed, Mar 12, 2008 at 10:23:14AM -0400, Randy Ramsdell wrote:
>>>   
>>>       
>>>> You can use spamassassin and clamav with or without Amavis, but to 
>>>> check  the message, you must make a system wide change that will 
>>>> affect every  message. Bypassing file size limits with any of those 
>>>> setups might not  be an ideal solution. After a brief read on 
>>>> Sanesecurity signatures, it  appears that the size limits will still 
>>>> come into the equation and  again, a system wide setting change is 
>>>> required.
>>>>     
>>>>         
>>> What are you talking about? I have no limits on size for ClamAV scans.
>>>
>>>   
>>>       
>> I am talking about message/attachment size limits or was that a  
>> rhetorical question? You can set the size limit which I believe is  
>> "StreamMaxLength." From the docs, this should be set to the mail server  
>> size limit so maybe it isn't a factor. The addon for clamav does seem to  
>> be interesting given this.
>>     
>
> Ofcourse it's not a factor. StreamMaxLength is only applied when the clamd
> daemon is on a separate server. And even more, the default is 10MB which is
> more than enough for what we are talking about. I really doubt spammers
> would be sending _that_ big files.
>
>   
I agreed that size does not matter. :) But I was mostly responding to 
your statement "I have no limits on size for ClamAV scans," but there 
are message size limits that can be set. So you do have limits.
> Just get the Sanesecurity signatures and be done with it, it will help a lot
> in any case. Maybe it has signatures for these "big" spams too. Also if you
> are using amavisd-new, you should set virus_name_to_spam_score_maps
> accordingly.
>
>   
Just get "Sanesecurity signatures" even though it has nothing to do with 
the large file attachments directly? I actually looked into this 
technology because of the thread, but it doesn't help in my case.

Re: Scanning without attachments

Posted by Henrik K <he...@hege.li>.

On Wed, Mar 12, 2008 at 11:16:32AM -0400, Randy Ramsdell wrote:
> Henrik K wrote:
>> On Wed, Mar 12, 2008 at 10:23:14AM -0400, Randy Ramsdell wrote:
>>   
>>> You can use spamassassin and clamav with or without Amavis, but to 
>>> check  the message, you must make a system wide change that will 
>>> affect every  message. Bypassing file size limits with any of those 
>>> setups might not  be an ideal solution. After a brief read on 
>>> Sanesecurity signatures, it  appears that the size limits will still 
>>> come into the equation and  again, a system wide setting change is 
>>> required.
>>>     
>>
>> What are you talking about? I have no limits on size for ClamAV scans.
>>
>>   
> I am talking about message/attachment size limits or was that a  
> rhetorical question? You can set the size limit which I believe is  
> "StreamMaxLength." From the docs, this should be set to the mail server  
> size limit so maybe it isn't a factor. The addon for clamav does seem to  
> be interesting given this.

Ofcourse it's not a factor. StreamMaxLength is only applied when the clamd
daemon is on a separate server. And even more, the default is 10MB which is
more than enough for what we are talking about. I really doubt spammers
would be sending _that_ big files.

Just get the Sanesecurity signatures and be done with it, it will help a lot
in any case. Maybe it has signatures for these "big" spams too. Also if you
are using amavisd-new, you should set virus_name_to_spam_score_maps
accordingly.

Re: Scanning without attachments

Posted by Randy Ramsdell <rr...@livedatagroup.com>.

Henrik K wrote:
> On Wed, Mar 12, 2008 at 10:23:14AM -0400, Randy Ramsdell wrote:
>   
>> You can use spamassassin and clamav with or without Amavis, but to check  
>> the message, you must make a system wide change that will affect every  
>> message. Bypassing file size limits with any of those setups might not  
>> be an ideal solution. After a brief read on Sanesecurity signatures, it  
>> appears that the size limits will still come into the equation and  
>> again, a system wide setting change is required.
>>     
>
> What are you talking about? I have no limits on size for ClamAV scans.
>
>   
I am talking about message/attachment size limits or was that a 
rhetorical question? You can set the size limit which I believe is 
"StreamMaxLength." From the docs, this should be set to the mail server 
size limit so maybe it isn't a factor. The addon for clamav does seem to 
be interesting given this.

rcr

Re: Scanning without attachments

Posted by Henrik K <he...@hege.li>.

On Wed, Mar 12, 2008 at 10:23:14AM -0400, Randy Ramsdell wrote:
>
> You can use spamassassin and clamav with or without Amavis, but to check  
> the message, you must make a system wide change that will affect every  
> message. Bypassing file size limits with any of those setups might not  
> be an ideal solution. After a brief read on Sanesecurity signatures, it  
> appears that the size limits will still come into the equation and  
> again, a system wide setting change is required.

What are you talking about? I have no limits on size for ClamAV scans.

Re: Scanning without attachments

Posted by Randy Ramsdell <rr...@livedatagroup.com>.

Henrik K wrote:
> On Wed, Mar 12, 2008 at 09:48:37AM -0400, Randy Ramsdell wrote:
>   
>> Drew Burchett wrote:
>>     
>>> I've noticed a new trend in spam on my mail server that is getting by
>>> SpamAssassin.  The spammer is creating his message and then attach a
>>> couple of garbage PDFs to the email.  These PDFs make it too large for
>>> SpamAssassin to scan the message, so it gets by the system.  I have
>>> tried turning up the size so SpamAssassin will scan it, but it takes WAY
>>> too long to scan a message.  Does anyone have any suggestions on how I
>>> could catch/scan these messages without putting too much of a load on
>>> SpamAssassin?
>>>
>>> Drew Burchett
>>> United Systems & Software
>>> Ph:  (270)527-3293
>>> Fax:  (270)527-3132
>>>
>>>
>>>   
>>>       
>> And it works too. I suppose more spammers don't use this technique more  
>> often and so far, I have not found a nice way to deal with it.
>>     
>
> Probably ClamAV is the way to go for big messages. Try Sanesecurity
> signatures if you don't already.
>
>   
You can use spamassassin and clamav with or without Amavis, but to check 
the message, you must make a system wide change that will affect every 
message. Bypassing file size limits with any of those setups might not 
be an ideal solution. After a brief read on Sanesecurity signatures, it 
appears that the size limits will still come into the equation and 
again, a system wide setting change is required.

Randy Ramsdell

Re: Scanning without attachments

Posted by Henrik K <he...@hege.li>.

On Wed, Mar 12, 2008 at 09:48:37AM -0400, Randy Ramsdell wrote:
> Drew Burchett wrote:
>> I've noticed a new trend in spam on my mail server that is getting by
>> SpamAssassin.  The spammer is creating his message and then attach a
>> couple of garbage PDFs to the email.  These PDFs make it too large for
>> SpamAssassin to scan the message, so it gets by the system.  I have
>> tried turning up the size so SpamAssassin will scan it, but it takes WAY
>> too long to scan a message.  Does anyone have any suggestions on how I
>> could catch/scan these messages without putting too much of a load on
>> SpamAssassin?
>>
>> Drew Burchett
>> United Systems & Software
>> Ph:  (270)527-3293
>> Fax:  (270)527-3132
>>
>>
>>   
>
> And it works too. I suppose more spammers don't use this technique more  
> often and so far, I have not found a nice way to deal with it.

Probably ClamAV is the way to go for big messages. Try Sanesecurity
signatures if you don't already.

Re: Scanning without attachments

Posted by Randy Ramsdell <rr...@livedatagroup.com>.

Drew Burchett wrote:
> I've noticed a new trend in spam on my mail server that is getting by
> SpamAssassin.  The spammer is creating his message and then attach a
> couple of garbage PDFs to the email.  These PDFs make it too large for
> SpamAssassin to scan the message, so it gets by the system.  I have
> tried turning up the size so SpamAssassin will scan it, but it takes WAY
> too long to scan a message.  Does anyone have any suggestions on how I
> could catch/scan these messages without putting too much of a load on
> SpamAssassin?
>
> Drew Burchett
> United Systems & Software
> Ph:  (270)527-3293
> Fax:  (270)527-3132
>
>
>   

And it works too. I suppose more spammers don't use this technique more 
often and so far, I have not found a nice way to deal with it.