You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Claudio Kuenzler <na...@gmail.com> on 2019/02/15 10:53:35 UTC
Spamassassin "ignoring" mail with embedded picture
Hello y'all
Came across a strange problem today where a mail is bounced by Postfix
because it was never "accepted" by Spamassassin.
This is the error, Postfix logged:
<re...@example.com>: Command time limit exceeded: "/usr/bin/spamc".
Command
output:[the mail content]
In Spamassassin's log file nothing was logged.
A manual retry of sending the mail (both via remote mail client and local
webmail client) resultet in the mail being stuck in the Postfix queue:
# date
Fri Feb 15 11:19:10 CET 2019
# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
D01A1202E3* 4102925 Fri Feb 15 10:08:53 sender@example.com
redacted1@example.com
redacted2@example.com
This stays in the queue until the default timeout (15min) hits and then the
mail gets bounced by Postfix, sending a non-delivery report to the sender
address.
I took this e-mail and sent it manually via spamc to spamd while running
spamd in foreground in debug mode (spamd --D):
# cat /tmp/mailcausingproblems.eml | spamc
-> nothing happened in the terminal where i'm running spamd!
I took a simple test mail and did the same:
# cat /tmp/working.eml | spamc
-> got tons of entries in the terminal where i'm running spamd
I was able to narrow it down to the embedded picture which has a size of
~3.9MB. I placed the whole base64 embedded picture stuff into the
working.eml mail before, sent it again via spamc and same effect as the
original mail (nothing happened).
Is there a size limit active in Spamassassin (spamc or spamd) which would
refuse this e-mail? Even if there is, there should be something logged,
right? Either spamc or spamd should log/output something helpful.
All other mails (with or without attachments) are going through just fine.
Any ideas? Is there a known bug which could cause this behaviour?
Re: Spamassassin "ignoring" mail with embedded picture
Posted by John Hardin <jh...@impsec.org>.
On Fri, 15 Feb 2019, Claudio Kuenzler wrote:
>> Is there a size limit active in Spamassassin (spamc or spamd) which would
>> refuse this e-mail? Even if there is, there should be something logged,
>> right? Either spamc or spamd should log/output something helpful.
>
> Dang it. No idea why I didn't see this before: *s* *max_size*, *--max-size*=
> *max_size*
> According to man spamc the default is 500KB. Bigger content "will be
> returned unprocessed". Hence it will never be sent to spamd, did I
> understand this correctly?
>
> I just tested it again with the embedded picture and an increased max size:
>
> # time cat /tmp/working2.eml | spamc -t 900 -s 8000000
> [...]
> real 3m22.921s
> user 0m0.004s
> sys 0m0.144s
>
> So this worked after all.
It's possible the message got truncated in a manner that confused the
message body parser in a way that caused something like runaway
backtracking in a rule that doesn't expect to be looking at a huge block
of base64 text...
What version of SA are you using?
Is the original message safe (from a privacy standpoint) to provide to
some SA devs to verify whether that's indeed the cause and see if there's
a failure mode we can fix?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
When I say "I don't want the government to do X", do not
automatically assume that means I don't want X to happen.
-----------------------------------------------------------------------
7 days until George Washington's 287th Birthday
Re: Spamassassin "ignoring" mail with embedded picture
Posted by Claudio Kuenzler <na...@gmail.com>.
>
> Is there a size limit active in Spamassassin (spamc or spamd) which would
> refuse this e-mail? Even if there is, there should be something logged,
> right? Either spamc or spamd should log/output something helpful.
>
Dang it. No idea why I didn't see this before: *s* *max_size*, *--max-size*=
*max_size*
According to man spamc the default is 500KB. Bigger content "will be
returned unprocessed". Hence it will never be sent to spamd, did I
understand this correctly?
I just tested it again with the embedded picture and an increased max size:
# time cat /tmp/working2.eml | spamc -t 900 -s 8000000
[...]
real 3m22.921s
user 0m0.004s
sys 0m0.144s
So this worked after all.
Re: Spamassassin "ignoring" mail with embedded picture
Posted by Ian Zimmerman <it...@very.loosely.org>.
On 2019-02-15 16:07, Claudio Kuenzler wrote:
> The man page calls it "will be returned unprocessed"
> What does that mean for Postfix, what kind of response does it get from
> spamc?
It depends on how spamc is invoked. Please read the whole manpage.
If you invoke it just for the exit status, it will exit the same way as
if the mail were determined by spamd to be ham.
If you invoke it to output a modified copy of message (or just headers)
on standard output, it will just echo the original.
I have no idea how postfix calls spamc; I think that should in fact be
your first line of investigation.
--
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.
Re: Spamassassin "ignoring" mail with embedded picture
Posted by "Kevin A. McGrail" <km...@apache.org>.
Just wanted to add that there are new size options coming
It's committed to 4.0 in trunk: Use the new SpamAssassin
rawbody_part_scan_size option to implement limits on scanned data size.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6582
Regards,
KAM
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: Spamassassin "ignoring" mail with embedded picture
Posted by Claudio Kuenzler <na...@gmail.com>.
> >I took this e-mail and sent it manually via spamc to spamd while running
> >spamd in foreground in debug mode (spamd --D):
> >
> ># cat /tmp/mailcausingproblems.eml | spamc
> >-> nothing happened in the terminal where i'm running spamd!
>
> >I took a simple test mail and did the same:
> >
> ># cat /tmp/working.eml | spamc
> >-> got tons of entries in the terminal where i'm running spamd
>
> apparently the mail was scanned. look at its headers.
>
Only the "working.eml" testmail was received and scanned by spamd. The
problematic e-mail with the embedded picture "/tmp/mailcausingproblems.eml"
experienced the problem.
Please see my other mail I sent a couple of minutes after my initial mail,
in the meantime I had found the max size parameter for spamc.
>
> >I was able to narrow it down to the embedded picture which has a size of
> >~3.9MB.
>
> strange, spamc should put mail over 500K back unscanned.
>
So what does "put mail ... back" exactly mean?
The man page calls it "will be returned unprocessed"
What does that mean for Postfix, what kind of response does it get from
spamc?
If the mail staid in the mail queue and was obviously waiting for spamc to
respond, shouldn't something have happened?
Re: Spamassassin "ignoring" mail with embedded picture
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 15.02.19 11:53, Claudio Kuenzler wrote:
>Came across a strange problem today where a mail is bounced by Postfix
>because it was never "accepted" by Spamassassin.
>
>This is the error, Postfix logged:
>
><re...@example.com>: Command time limit exceeded: "/usr/bin/spamc".
>Command
> output:[the mail content]
maybe the filtering should not be done by spamc directly. There are other
ways - using spamass-milter, amavisd-milter, amavisd-new as content_filter
or smtp_proxy ...
>In Spamassassin's log file nothing was logged.
>A manual retry of sending the mail (both via remote mail client and local
>webmail client) resultet in the mail being stuck in the Postfix queue:
>
># date
>Fri Feb 15 11:19:10 CET 2019
># mailq
>-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
>D01A1202E3* 4102925 Fri Feb 15 10:08:53 sender@example.com
> redacted1@example.com
> redacted2@example.com
>
>This stays in the queue until the default timeout (15min) hits and then the
>mail gets bounced by Postfix, sending a non-delivery report to the sender
>address.
>
>I took this e-mail and sent it manually via spamc to spamd while running
>spamd in foreground in debug mode (spamd --D):
>
># cat /tmp/mailcausingproblems.eml | spamc
>-> nothing happened in the terminal where i'm running spamd!
>I took a simple test mail and did the same:
>
># cat /tmp/working.eml | spamc
>-> got tons of entries in the terminal where i'm running spamd
apparently the mail was scanned. look at its headers.
>I was able to narrow it down to the embedded picture which has a size of
>~3.9MB.
strange, spamc should put mail over 500K back unscanned.
>I placed the whole base64 embedded picture stuff into the
>working.eml mail before, sent it again via spamc and same effect as the
>original mail (nothing happened).
>
>Is there a size limit active in Spamassassin (spamc or spamd) which would
>refuse this e-mail? Even if there is, there should be something logged,
>right? Either spamc or spamd should log/output something helpful.
spamc default limit is 500K, you can increase it to 256M.
scanning of bigger mail can take minutes, e.g. FuzzyOCR calling OCR
programs. I think the default timeout is 5 minutes.
>All other mails (with or without attachments) are going through just fine.
>
>Any ideas? Is there a known bug which could cause this behaviour?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)