https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8314
Bug ID: 8314
Summary: spam scoring aborted by unreasonable packet size
Product: Spamassassin
Version: 4.0.2
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: spamc/spamd
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: Undefined
This is on a Debian 12 VPS running postfix + spamassassin + dovecot.
I'm seeing log entries like this:
2025-02-12T07:27:09.159579+00:00 hwsrv-901112 postfix/smtpd[81255]: connect
from tor-exit-relay-gelios.space[193.218.118.137]
2025-02-12T07:27:09.161822+00:00 hwsrv-901112 spamd[67159]: spamd: connection
from localhost [127.0.0.1]:49682 to port 783, fd 6
2025-02-12T07:27:39.163085+00:00 hwsrv-901112 spamd[67159]: spamd: timeout: (30
second socket timeout reading input from client)
2025-02-12T07:27:39.165024+00:00 hwsrv-901112 postfix/smtpd[81255]: warning:
milter inet:localhost:783: unreasonable packet length: 1397768525 > 1073741823
2025-02-12T07:27:39.165201+00:00 hwsrv-901112 postfix/smtpd[81255]: warning:
milter inet:localhost:783: read error in initial handshake
2025-02-12T07:27:40.742525+00:00 hwsrv-901112 postfix/smtpd[81255]: Anonymous
TLS connection established from tor-exit-relay-gelios.space[193.218.118.137]:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2025-02-12T07:27:45.343522+00:00 hwsrv-901112 policyd-spf[81307]: : prepend
Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=193.218.118.137;
helo=yahoo.com; [email protected]; receiver=ardsleyhigh73.com
2025-02-12T07:27:45.355336+00:00 hwsrv-901112 postfix/smtpd[81255]: 568E6CB3:
client=tor-exit-relay-gelios.space[193.218.118.137]
2025-02-12T07:28:00.973016+00:00 hwsrv-901112 postfix/cleanup[81308]: 568E6CB3:
message-id=<[email protected]>
2025-02-12T07:28:01.206046+00:00 hwsrv-901112 postfix/qmgr[68948]: 568E6CB3:
from=<[email protected]>, size=37382, nrcpt=2 (queue active)
2025-02-12T07:28:01.628369+00:00 hwsrv-901112 postfix/smtp[81322]: Untrusted
TLS connection established to
arcabama-com.mail.protection.outlook.com[52.101.194.4]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (secp384r1)
server-signatu>
2025-02-12T07:28:02.325197+00:00 hwsrv-901112 postfix/smtpd[81255]: disconnect
from tor-exit-relay-gelios.space[193.218.118.137] ehlo=2 starttls=1 mail=1
rcpt=1 data=1 quit=1 commands=7
2025-02-12T07:28:03.265008+00:00 hwsrv-901112 postfix/smtp[81322]: 568E6CB3:
to=<[email protected]>, orig_to=<[email protected]>,
relay=arcabama-com.mail.protection.outlook.com[52.101.194.4]:25, delay=22,
delays=20/0.08/0.43/1.5, dsn=2.6.0, status=sent (250 2.6.0>
2025-02-12T07:28:03.265595+00:00 hwsrv-901112 postfix/qmgr[68948]: 568E6CB3:
removed
While the targeted email account is simply a forwarder to another one of my
accounts (on a different domain), I don't think that's significant.
The problem is no spam header flags are added to the email when it is
forwarded. I've verified this by examining the headers at the destination.
It looks to me like the spammer is circumventing the spamd/spamassassin review
by specifying an unreasonably large packet size. The message itself is only
about 38KB, far below the claimed packet size.
Is there a way to flag this as spam simply because the packet size is too
large? I didn't see anything like that in the documentation.
--
You are receiving this mail because:
You are the assignee for the bug.
