You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Drew Burchett <Dr...@united-systems.com> on 2008/03/12 14:37:58 UTC
Scanning without attachments
I've noticed a new trend in spam on my mail server that is getting by
SpamAssassin. The spammer is creating his message and then attach a
couple of garbage PDFs to the email. These PDFs make it too large for
SpamAssassin to scan the message, so it gets by the system. I have
tried turning up the size so SpamAssassin will scan it, but it takes WAY
too long to scan a message. Does anyone have any suggestions on how I
could catch/scan these messages without putting too much of a load on
SpamAssassin?
Drew Burchett
United Systems & Software
Ph: (270)527-3293
Fax: (270)527-3132
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: Scanning without attachments
Posted by Randy Ramsdell <rr...@livedatagroup.com>.
Henrik K wrote:
> On Wed, Mar 12, 2008 at 11:16:32AM -0400, Randy Ramsdell wrote:
>
>> Henrik K wrote:
>>
>>> On Wed, Mar 12, 2008 at 10:23:14AM -0400, Randy Ramsdell wrote:
>>>
>>>
>>>> You can use spamassassin and clamav with or without Amavis, but to
>>>> check the message, you must make a system wide change that will
>>>> affect every message. Bypassing file size limits with any of those
>>>> setups might not be an ideal solution. After a brief read on
>>>> Sanesecurity signatures, it appears that the size limits will still
>>>> come into the equation and again, a system wide setting change is
>>>> required.
>>>>
>>>>
>>> What are you talking about? I have no limits on size for ClamAV scans.
>>>
>>>
>>>
>> I am talking about message/attachment size limits or was that a
>> rhetorical question? You can set the size limit which I believe is
>> "StreamMaxLength." From the docs, this should be set to the mail server
>> size limit so maybe it isn't a factor. The addon for clamav does seem to
>> be interesting given this.
>>
>
> Ofcourse it's not a factor. StreamMaxLength is only applied when the clamd
> daemon is on a separate server. And even more, the default is 10MB which is
> more than enough for what we are talking about. I really doubt spammers
> would be sending _that_ big files.
>
>
I agreed that size does not matter. :) But I was mostly responding to
your statement "I have no limits on size for ClamAV scans," but there
are message size limits that can be set. So you do have limits.
> Just get the Sanesecurity signatures and be done with it, it will help a lot
> in any case. Maybe it has signatures for these "big" spams too. Also if you
> are using amavisd-new, you should set virus_name_to_spam_score_maps
> accordingly.
>
>
Just get "Sanesecurity signatures" even though it has nothing to do with
the large file attachments directly? I actually looked into this
technology because of the thread, but it doesn't help in my case.
Re: Scanning without attachments
Posted by Henrik K <he...@hege.li>.
On Wed, Mar 12, 2008 at 11:16:32AM -0400, Randy Ramsdell wrote:
> Henrik K wrote:
>> On Wed, Mar 12, 2008 at 10:23:14AM -0400, Randy Ramsdell wrote:
>>
>>> You can use spamassassin and clamav with or without Amavis, but to
>>> check the message, you must make a system wide change that will
>>> affect every message. Bypassing file size limits with any of those
>>> setups might not be an ideal solution. After a brief read on
>>> Sanesecurity signatures, it appears that the size limits will still
>>> come into the equation and again, a system wide setting change is
>>> required.
>>>
>>
>> What are you talking about? I have no limits on size for ClamAV scans.
>>
>>
> I am talking about message/attachment size limits or was that a
> rhetorical question? You can set the size limit which I believe is
> "StreamMaxLength." From the docs, this should be set to the mail server
> size limit so maybe it isn't a factor. The addon for clamav does seem to
> be interesting given this.
Ofcourse it's not a factor. StreamMaxLength is only applied when the clamd
daemon is on a separate server. And even more, the default is 10MB which is
more than enough for what we are talking about. I really doubt spammers
would be sending _that_ big files.
Just get the Sanesecurity signatures and be done with it, it will help a lot
in any case. Maybe it has signatures for these "big" spams too. Also if you
are using amavisd-new, you should set virus_name_to_spam_score_maps
accordingly.
Re: Scanning without attachments
Posted by Randy Ramsdell <rr...@livedatagroup.com>.
Henrik K wrote:
> On Wed, Mar 12, 2008 at 10:23:14AM -0400, Randy Ramsdell wrote:
>
>> You can use spamassassin and clamav with or without Amavis, but to check
>> the message, you must make a system wide change that will affect every
>> message. Bypassing file size limits with any of those setups might not
>> be an ideal solution. After a brief read on Sanesecurity signatures, it
>> appears that the size limits will still come into the equation and
>> again, a system wide setting change is required.
>>
>
> What are you talking about? I have no limits on size for ClamAV scans.
>
>
I am talking about message/attachment size limits or was that a
rhetorical question? You can set the size limit which I believe is
"StreamMaxLength." From the docs, this should be set to the mail server
size limit so maybe it isn't a factor. The addon for clamav does seem to
be interesting given this.
rcr
Re: Scanning without attachments
Posted by Henrik K <he...@hege.li>.
On Wed, Mar 12, 2008 at 10:23:14AM -0400, Randy Ramsdell wrote:
>
> You can use spamassassin and clamav with or without Amavis, but to check
> the message, you must make a system wide change that will affect every
> message. Bypassing file size limits with any of those setups might not
> be an ideal solution. After a brief read on Sanesecurity signatures, it
> appears that the size limits will still come into the equation and
> again, a system wide setting change is required.
What are you talking about? I have no limits on size for ClamAV scans.
Re: Scanning without attachments
Posted by Randy Ramsdell <rr...@livedatagroup.com>.
Henrik K wrote:
> On Wed, Mar 12, 2008 at 09:48:37AM -0400, Randy Ramsdell wrote:
>
>> Drew Burchett wrote:
>>
>>> I've noticed a new trend in spam on my mail server that is getting by
>>> SpamAssassin. The spammer is creating his message and then attach a
>>> couple of garbage PDFs to the email. These PDFs make it too large for
>>> SpamAssassin to scan the message, so it gets by the system. I have
>>> tried turning up the size so SpamAssassin will scan it, but it takes WAY
>>> too long to scan a message. Does anyone have any suggestions on how I
>>> could catch/scan these messages without putting too much of a load on
>>> SpamAssassin?
>>>
>>> Drew Burchett
>>> United Systems & Software
>>> Ph: (270)527-3293
>>> Fax: (270)527-3132
>>>
>>>
>>>
>>>
>> And it works too. I suppose more spammers don't use this technique more
>> often and so far, I have not found a nice way to deal with it.
>>
>
> Probably ClamAV is the way to go for big messages. Try Sanesecurity
> signatures if you don't already.
>
>
You can use spamassassin and clamav with or without Amavis, but to check
the message, you must make a system wide change that will affect every
message. Bypassing file size limits with any of those setups might not
be an ideal solution. After a brief read on Sanesecurity signatures, it
appears that the size limits will still come into the equation and
again, a system wide setting change is required.
Randy Ramsdell
Re: Scanning without attachments
Posted by Henrik K <he...@hege.li>.
On Wed, Mar 12, 2008 at 09:48:37AM -0400, Randy Ramsdell wrote:
> Drew Burchett wrote:
>> I've noticed a new trend in spam on my mail server that is getting by
>> SpamAssassin. The spammer is creating his message and then attach a
>> couple of garbage PDFs to the email. These PDFs make it too large for
>> SpamAssassin to scan the message, so it gets by the system. I have
>> tried turning up the size so SpamAssassin will scan it, but it takes WAY
>> too long to scan a message. Does anyone have any suggestions on how I
>> could catch/scan these messages without putting too much of a load on
>> SpamAssassin?
>>
>> Drew Burchett
>> United Systems & Software
>> Ph: (270)527-3293
>> Fax: (270)527-3132
>>
>>
>>
>
> And it works too. I suppose more spammers don't use this technique more
> often and so far, I have not found a nice way to deal with it.
Probably ClamAV is the way to go for big messages. Try Sanesecurity
signatures if you don't already.
Re: Scanning without attachments
Posted by Randy Ramsdell <rr...@livedatagroup.com>.
Drew Burchett wrote:
> I've noticed a new trend in spam on my mail server that is getting by
> SpamAssassin. The spammer is creating his message and then attach a
> couple of garbage PDFs to the email. These PDFs make it too large for
> SpamAssassin to scan the message, so it gets by the system. I have
> tried turning up the size so SpamAssassin will scan it, but it takes WAY
> too long to scan a message. Does anyone have any suggestions on how I
> could catch/scan these messages without putting too much of a load on
> SpamAssassin?
>
> Drew Burchett
> United Systems & Software
> Ph: (270)527-3293
> Fax: (270)527-3132
>
>
>
And it works too. I suppose more spammers don't use this technique more
often and so far, I have not found a nice way to deal with it.