Wow, I knew this was coming at some point. I just figured it was too expensive.
My suggestion would be to use graylisting, force them to send that 1MB message twice. Course zombie bots don't do that generally, so you would never even have to deal with it. You could also use the botnet plug-in. It would be good if SA could handle this though. The above are only temporary solutions to a bigger problem. -Brent -----Original Message----- From: Charles Gregory [mailto:cgreg...@hwcn.org] Sent: Monday, March 29, 2010 1:09 PM To: users@spamassassin.apache.org Subject: ATTN DEVELOPERS: Mega-Spam Literally, Mega-Spam. I just got a spam with 1MB of images. My suggestion has been made before, but I would like to ask that it now be taken a bit more seriously. SA needs an option to allow efficient 'partial' scanning of large e-mails, so that, for example, we can peform all the valuable header checks, and maybe even scan for URIBL hits within the first few hundred K of the body? Is it possible (and easy!) to set a flag that tells SA to stop testing aganist the body when it reaches a certain byte count.... Or perhaps, if I understand the docs correctly, most rules only trigger on textual message parts anyway, so by simply disabling 'full' rules and possbily 'rawbody', we could get the desired result without too much of a processing hit? - C