Hey all,
I stumbled upon an odd issue the other day that I'm having trouble
tracking down. Namely, a certain rule in the sought rule set, when
compiled for use with Rule2XSBody is causing the processing of *some*
emails to, well, never really end. Piping the mail through spamassassin
or into spamd just results in the process hanging and the memory usage
going higher and higher (2+ gigs, easily) and seemingly ignoring any
sort of timeouts. The process finally gets killed only when the OS
notices it's out of memory and starts killing processes or when I'm able
to sneak in and kill -9 it. There's nothing in the debug of SA whatsoever.
I was wondering if anyone else has seen this or if it's some quirk of my
environment. I admit that I'm no expert in this sort of thing, but
(hopefully) some useful information is below the dotted line.
-----
This happened on four of my machines which have the following configuration:
RHEL5.2 / SA 3.2.5 / Perl 5.8.8 / gcc 4.1.2
RHEl5.2 / SA 3.2.4 / Perl 5.8.8 / gcc 4.1.2
RHELAS 4 (Update 6) / SA 3.2.4 / Perl 5.8.5 / gcc 3.4.6
RHELAS 4 (Update 6) / SA 3.2.4 / Perl 5.8.5 / gcc 3.4.6
The SA is built from source off the main website, and the perl is just
stock redhat.
If I copy down all my rules/configuration to my Debian desktop using its
packaging, the problem doesn't emerge (sa 3.2.5/perl 5.10.0/gcc 4.3.3 there)
Removing the compiled rulesets works around the issue fairly handily.
I'm stubborn though, so after I did so, I dug around a bit and it seems
one specific body rule was causing the issue, namely:
body __SEEK_1R0JFS /\x{ff}\x{fe} \x{00} \x{00} \x{00}
\x{00}<\x{00}m\x{00}e\x{00}t\x{00}a\x{00}
\x{00}h\x{00}t\x{00}t\x{00}p\x{00}-\x{00}e\x{00}q\x{00}u\x{00}i\x{00}v\x{00}=\x{00}\'\x{00}R\x{00}e\x{00}f\x{00}r\x{00}e\x{00}s\x{00}h\x{00}\'\x{00}
\x{00}c\x{00}o\x{00}n\x{00}t\x{00}e\x{00}n\x{00}t\x{00}=\x{00}\'\x{00}0\x{00};\x{00}
\x{00}u\x{00}r\x{00}l\x{00}=\x{00}h\x{00}t\x{00}t\x{00}p\x{00}:\x{00}\/\x{00}\/\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}/
Once I comment out the rule, compiled rulesets work fine again. I don't
know enough to know what the heck that regex even is, or why it would be
causing problems (I basically found which rule was causing a problem by
commenting out anything that looked scary to me, running sa-compile, and
testing to see if I the "hanging" behavior went away)
I'm not sure the best way to post up a sample of the mail that was
choking the system without it getting mangled (though I'll gladly post
it if someone can show me where), but fooling around, it seemed to come
down to the message containing this as one of its parts:
-
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
(Any content could go here)
=00
-
Removing =00 OR Content-Transfer-Encoding: quoted-printable causes the
mail to pass through without a problem. It seems to only be both
combined that resulted in the behavior I saw.
Anyhoo, any thoughts? This a legitimate bug or something wrong with my
setup?
Matt
