subject:"SpamAssassin not parsing\/seeing all headers\?"

Re: SpamAssassin not parsing/seeing all headers?

2017-05-02 Thread Ralf Hildebrandt

> Perhaps there's something in amavisd-new that can't cope with the
> dkim headers and has done something that breaks SA's header parsing.
> This wouldn't necessarily show-up in the delivered email. 

Indeed. amavisd+SA says:
X-Spam-Status: Yes, score=5.763 tagged_above=2 required=4
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
EMPTY_MESSAGE=2.32, MISSING_DATE=1.36, MISSING_FROM=1,
MISSING_HEADERS=1.021, MISSING_MID=0.497, MISSING_SUBJECT=1.799,
RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, TXREP=-0.842,
CRM114.UNSURE(-2.55)=0.510] autolearn=no autolearn_force=no

while piping the mail through spamassassin -D says:

X-Spam-Status: No, score=-1.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,
FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
RP_MATCHES_RCVD,SPF_PASS,T_DKIM_INVALID shortcircuit=no autolearn=no
autolearn_force=no version=3.4.1

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

Re: SpamAssassin not parsing/seeing all headers?

2017-05-02 Thread RW

On Tue, 2 May 2017 14:04:48 +0100
RW wrote:

> > 64 KB - have you seen typical headers from microsoft these days as
> > well as others?  
> 
> They are much smaller than that. It remains to be seen whether this
> limit is causing the OPs problem. 

And I don't think it is. The 64k limit doesn't seem to affect "exists:"
rules.

Perhaps there's something in amavisd-new that can't cope with the
dkim headers and has done something that breaks SA's header parsing.
This wouldn't necessarily show-up in the delivered email. 

Try running one through spamassassin -D.

Re: SpamAssassin not parsing/seeing all headers?

2017-05-02 Thread RW

On Tue, 2 May 2017 14:14:19 +0200
Reindl Harald wrote:

 against DoS type situations."  
> > 
> > 
> > That's the limit for a specific header. The relevant limit here is
> > the limit for total headers of 64k.  
> 
> that's both too low and makes it easiy to bypass SA

It wouldn't make it bypass SA.

> 64 KB - have you seen typical headers from microsoft these days as
> well as others?

They are much smaller than that. It remains to be seen whether this
limit is causing the OPs problem. 

> 8 KB - well, if someone encodes his whole payload base64 encoded in
> the subject you are there

It's pretty unlikely that anyone is going to read a subject beyond the
first 8K of decoded text.

Re: SpamAssassin not parsing/seeing all headers?

2017-05-02 Thread RW

On Tue, 2 May 2017 12:42:52 +0200
Ralf Hildebrandt wrote:

> * Ralf Hildebrandt :
> 
> > But the real question is: Why is SA not seeing all the headers?  
> 
> Looking at the archives, I find this:
> https://lists.gt.net/spamassassin/users/172198
> 
> "Specifically, I have been adding characters and addresses to the
> list of email addresses in the To: header to see at what point my
> rule stops being hit. As far as I can tell, it is a byte limit, not a
> number of email addresses limit. 
> 
> The byte limit (at least in my configuration) seems to be
> approximately 8KB"
> 
> And:
> 
> "Pretty sure it's hardcoded at 8k. This was done several years ago to
> protect against DoS type situations."


That's the limit for a specific header. The relevant limit here is the
limit for total headers of 64k.

Re: SpamAssassin not parsing/seeing all headers?

2017-05-02 Thread Ralf Hildebrandt

* Ralf Hildebrandt :

> But the real question is: Why is SA not seeing all the headers?

Looking at the archives, I find this:
https://lists.gt.net/spamassassin/users/172198

"Specifically, I have been adding characters and addresses to the list of
email addresses in the To: header to see at what point my rule stops
being hit. As far as I can tell, it is a byte limit, not a number of
email addresses limit. 

The byte limit (at least in my configuration) seems to be approximately
8KB"

And:

"Pretty sure it's hardcoded at 8k. This was done several years ago to
protect against DoS type situations."

If that's the case, is that limit still up-to-date?

The default in Postfix (bytes):

# postconf -d header_size_limit
header_size_limit = 102400

But curently we're using a conservativ 32KB instead.

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

Re: SpamAssassin not parsing/seeing all headers?

Re: SpamAssassin not parsing/seeing all headers?

Re: SpamAssassin not parsing/seeing all headers?

Re: SpamAssassin not parsing/seeing all headers?

Re: SpamAssassin not parsing/seeing all headers?

5 matches

Site Navigation

Mail list logo

Footer information