http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5393
------- Additional Comments From [EMAIL PROTECTED] 2007-03-30 09:43 ------- (In reply to comment #11) > In reply to comment #10, is not the epilog supposed to be small? After all, > if > it is to be discarded (according to the RFCs), what would be the purpose in > making it large, possibly larger than the legitimate body of the mail itself? > > Maybe there is no point in scanning an epilog that is 200KB in size. Or 1KB > in > size. Maybe just add one point to the message for every KB of size of the > epilog and be done with it. For less than 27KB (about the standard size for > an > image spam these days) scan the epilog, as it is no bigger than a typical > spam > mail that you do feel is worth scanning. > > The argument that putting large quantities of garbage in the epilog will > prevent spam scanning or use up system resources doesn't hold. Since this is > supposed to be ignored by MUAs, then by definition it is NOT supposed to have > valid content. It is sufficient to detect that it DOES contain valid content > and score that fact appropriately. Detailed scanning on "typically sized" > content would merely be a bonus. I think that's a very important point: the choice is not a binary choice between scanning whatever epilogue there is as if it were a normal part of normal mail or not scanning it at all. There are potentially interesting features that could be detected without doing a full scan of the epilogue, including simple existence, absolute size, and size relative to valid MIME parts. I've now seen 3 such messages in the wild, all of which had effectively empty MIME parts consisting of a small number of blank lines. FWIW, I think the risk of overload attacks by the use of large epilogues is also relatively low. It is already common (e.g. implemented in the MIMEDefang sample code for using SA) to exempt large messages from SA scanning completely. That path has itself been attacked by image spammers, but it remains useful to cap the size of messages subjected to SA scanning. That practice also would limit overload attacks via large epilogues. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
