mouss wrote: > since most filters skip large messages, it may be tempting for spammers > to send large messagess: > > - using a large but "invisible" part (either by using mime and putting a > large text part in an alternative mime, or using "invisible" chars > before their own text). > > - using a large image > > - large "tail" (spammers can append anything....). > > - "unused" attachments > > questions: > - has this already been seen?
I've not seen it with dummy text, but I have seen the large image spam. However, it's very rare. The problem being that if you're a large-volume spammer, large messages take a longer time to send, and thus reduce your spams/minute. There's only one spammer that's done this to me. There's some group of stores in Guatemala that sends me high-res scans of their newspaper. Consejeros en Finanzas Empresariales, some kind of bank La Cuacao - some kind of electronics shop? or an eye doctor? cefesa hardware - a True Value hardware store. Why anyone in Guatemala thinks I'll visit their store to spend "Q. 22" on a patio log fake fire log or "Q. 85" on a generic brand weed and feed fertilizer is beyond me. But other than these guys, I don't get any spams >250kb. > - how can we mitigate this? Personally, I think it is largely self-mitigating. Their size greatly limits their potential distribution. As I see it, there's very little large-spam out there. > > > my first thought would be to "process" the message before passing it to > the filter. In particular, are there drawbacks/benefits if I remove > attachments before passing them to SA (or any other filter)? Well, SA automatically ignores attachments in recent versions. However, hash-based plugins like razor, dcc, and pyzor work best when seeing all the attachments.