Re: SpamAssassin not parsing/seeing all headers?
> Perhaps there's something in amavisd-new that can't cope with the > dkim headers and has done something that breaks SA's header parsing. > This wouldn't necessarily show-up in the delivered email. Indeed. amavisd+SA says: X-Spam-Status: Yes, score=5.763 tagged_above=2 required=4 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, EMPTY_MESSAGE=2.32, MISSING_DATE=1.36, MISSING_FROM=1, MISSING_HEADERS=1.021, MISSING_MID=0.497, MISSING_SUBJECT=1.799, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, TXREP=-0.842, CRM114.UNSURE(-2.55)=0.510] autolearn=no autolearn_force=no while piping the mail through spamassassin -D says: X-Spam-Status: No, score=-1.6 required=5.0 tests=BAYES_00,DKIM_SIGNED, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, RP_MATCHES_RCVD,SPF_PASS,T_DKIM_INVALID shortcircuit=no autolearn=no autolearn_force=no version=3.4.1 -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
Re: SpamAssassin not parsing/seeing all headers?
On Tue, 2 May 2017 14:04:48 +0100 RW wrote: > > 64 KB - have you seen typical headers from microsoft these days as > > well as others? > > They are much smaller than that. It remains to be seen whether this > limit is causing the OPs problem. And I don't think it is. The 64k limit doesn't seem to affect "exists:" rules. Perhaps there's something in amavisd-new that can't cope with the dkim headers and has done something that breaks SA's header parsing. This wouldn't necessarily show-up in the delivered email. Try running one through spamassassin -D.
Re: SpamAssassin not parsing/seeing all headers?
On Tue, 2 May 2017 14:14:19 +0200 Reindl Harald wrote: against DoS type situations." > > > > > > That's the limit for a specific header. The relevant limit here is > > the limit for total headers of 64k. > > that's both too low and makes it easiy to bypass SA It wouldn't make it bypass SA. > 64 KB - have you seen typical headers from microsoft these days as > well as others? They are much smaller than that. It remains to be seen whether this limit is causing the OPs problem. > 8 KB - well, if someone encodes his whole payload base64 encoded in > the subject you are there It's pretty unlikely that anyone is going to read a subject beyond the first 8K of decoded text.
Re: SpamAssassin not parsing/seeing all headers?
On Tue, 2 May 2017 12:42:52 +0200 Ralf Hildebrandt wrote: > * Ralf Hildebrandt: > > > But the real question is: Why is SA not seeing all the headers? > > Looking at the archives, I find this: > https://lists.gt.net/spamassassin/users/172198 > > "Specifically, I have been adding characters and addresses to the > list of email addresses in the To: header to see at what point my > rule stops being hit. As far as I can tell, it is a byte limit, not a > number of email addresses limit. > > The byte limit (at least in my configuration) seems to be > approximately 8KB" > > And: > > "Pretty sure it's hardcoded at 8k. This was done several years ago to > protect against DoS type situations." That's the limit for a specific header. The relevant limit here is the limit for total headers of 64k.
Re: SpamAssassin not parsing/seeing all headers?
* Ralf Hildebrandt: > But the real question is: Why is SA not seeing all the headers? Looking at the archives, I find this: https://lists.gt.net/spamassassin/users/172198 "Specifically, I have been adding characters and addresses to the list of email addresses in the To: header to see at what point my rule stops being hit. As far as I can tell, it is a byte limit, not a number of email addresses limit. The byte limit (at least in my configuration) seems to be approximately 8KB" And: "Pretty sure it's hardcoded at 8k. This was done several years ago to protect against DoS type situations." If that's the case, is that limit still up-to-date? The default in Postfix (bytes): # postconf -d header_size_limit header_size_limit = 102400 But curently we're using a conservativ 32KB instead. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155