On Wed, 01 Sep 2004 16:36:55 -0700, Kelson <[EMAIL PROTECTED]> wrote: > It had to happen, I suppose. This morning I received a 996 KB message > advertising, as near as I can tell, some Taiwanese take-out restaurant. > And by Taiwanese, I don't mean style of cooking, but *location*. > (Yeah, next time I go to lunch I'm definitely going to hop on a plane, > fly halfway around the world, and eat at this place that spammed me in a > language I can't read.) > > The message consisted of a small HTML component and a gigantic JPEG > image. Had it been smaller, it would have easily scored 15 points even > before Bayes training (as spamsassassin -t demonstrated), but we don't > run anything through SA larger than 256 KB (as is usually recommended). > > I've blacklisted the IP, but it looks like a throwaway. > > So I'm wondering - any ideas on dealing with giant-attachment spam? > > I don't suppose there are enough efficiency gains in 3.0 to safely raise > the size limit? > FWIW, I use SA from within MailScanner (it's called internally, as a perl library, no spamassassin script, no spamc/spamd).
MS has a setting called 'maxSAsize' or something like this that, in the past, meant that any message larger than that wasn't handed over to SA. However, as that turned out to let many spam messages unchecked by SA, newer versions of MS truncate the message to that size before sending it to SA. IIRC, the default is around 30k. The only problem I had with that is that every MIME message that got truncated by MS, hit the MIME_MISSING_BOUNDARY rule. I posted here about this in http://marc.theaimsgroup.com/?l=spamassassin-users&m=108455941908359&w=2 but I never got an answer. Finally, I created a new eval and a couple of rules that use it to handle the problem (see http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/334.html if you're interested). With this solution, I get every message checked by SpamAssassin and, if the message was over 30k, I only check the first 30k... usually, the spamminess can be determined in the first 30k. I didn't start using SA 3.0 yet, but I guess there must be a cleaner way (using plugins) to add the size rules... when I do so, I'll post here how. -- Mariano Absatz - El Baby el (dot) baby (AT) gmail (dot) com el (punto) baby (ARROBA:@) gmail (punto) com
