Re: spamd 'exceeded time limit' inquiry
On Fri, 29 Nov 2019, Tom H wrote: Hey everyone, I have a few questions about something I'm encountering with spamd. I've noticed cases where a bounce message to the server results in spamd 'exceeded time limit'. It reaches the limit of 300+ seconds. In this particular case, the message size is 564kB and contains an attachment. Normally, such a message size would not cause spamd to 'hang' for 5 minutes. I've pulled the bounce message in question to troubleshoot, and noticed that with spamc it does not recognize the attachment (no attachment rules hit). When scanning the original message (non bounce), spamc does recognize the attachment. I also noticed a significantly longer wait time using spamc with the bounce message compared to the original message. I also used the 'HitFreqsRuleTiming' plugin to see the performance of rule scan time between the bounce message and original message. I noticed that the bounce message had rules taking 4+ seconds (upstream rules such as __FILL_THIS_FORM_SHORT2 and __FILL_THIS_FORM_LONG2) , while this was not the case in the original message I have two questions: 1) By default, does SpamAssassin *not* decode/scan the base64 of the attachment? 2) Is the longer scan time of the 'bounce' message due to SpamAssassin scanning the attachment text lines in a way that it normally would not if it had recognized that it is an attachment? Question: was the message attached to the bounce *complete*? Or was it truncated? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Are you a mildly tech-literate politico horrified by the level of ignorance demonstrated by lawmakers gearing up to regulate online technology they don't even begin to grasp? Cool. Now you have a tiny glimpse into a day in the life of a gun owner. -- Sean Davis --- 975 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: spamd 'exceeded time limit' inquiry
On Fri, 29 Nov 2019 16:19:23 -0700 (MST) Tom H wrote: > Hey everyone, > > I have a few questions about something I'm encountering with spamd. > > I've noticed cases where a bounce message to the server results in > spamd 'exceeded time limit'. It reaches the limit of 300+ seconds. In > this particular case, the message size is 564kB and contains an > attachment. Normally, such a message size would not cause spamd to > 'hang' for 5 minutes. > ... > I noticed that the bounce message had rules taking 4+ seconds > (upstream rules such as __FILL_THIS_FORM_SHORT2 and > __FILL_THIS_FORM_LONG2) These are "body" rules. The chances are that the bounce has invalid MIME and so can't be parsed correctly.
spamd 'exceeded time limit' inquiry
Hey everyone, I have a few questions about something I'm encountering with spamd. I've noticed cases where a bounce message to the server results in spamd 'exceeded time limit'. It reaches the limit of 300+ seconds. In this particular case, the message size is 564kB and contains an attachment. Normally, such a message size would not cause spamd to 'hang' for 5 minutes. I've pulled the bounce message in question to troubleshoot, and noticed that with spamc it does not recognize the attachment (no attachment rules hit). When scanning the original message (non bounce), spamc does recognize the attachment. I also noticed a significantly longer wait time using spamc with the bounce message compared to the original message. I also used the 'HitFreqsRuleTiming' plugin to see the performance of rule scan time between the bounce message and original message. I noticed that the bounce message had rules taking 4+ seconds (upstream rules such as __FILL_THIS_FORM_SHORT2 and __FILL_THIS_FORM_LONG2) , while this was not the case in the original message I have two questions: 1) By default, does SpamAssassin *not* decode/scan the base64 of the attachment? 2) Is the longer scan time of the 'bounce' message due to SpamAssassin scanning the attachment text lines in a way that it normally would not if it had recognized that it is an attachment? Thanks in advance. -- Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html