Solved

spamassassin check for large body messages

Posted on 2014-11-07
7
301 Views
Last Modified: 2014-11-18
I'd like a rule to check for message bodies greater than a certain size, not including attachments. I'm finding that some spammers pad their messages with up to 1MB of garbage probably just to bypass the size-limit on spam checking. I see not legit messages that have 1MB sizes.

How do I do this?
0
Comment
Question by:jmarkfoley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40428762
more info: actually, upon further investigation, the +1M size messages *do* have attachments. In any case, spamassassin skips the message altogether because of the size. Is there a way to get spamassassin to ignore scanning attachments and ignore attachments in size considerations?
0
 
LVL 21

Expert Comment

by:robocat
ID: 40430584
It depends on the implementation of SA you're using.  The  size limit is usually implemented  in the MTA integration you're using and not by SA itself.

E.g. If you're using mailscanner, the size limit is in the mailscanner config and mailscanner will not  pass any messages to SA if messages are larger than this limit.

So  tell us about your SA implementation.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40443550
Sorry, didn't realize I had a response. For some reason I am not getting notified when a response is posted, only when the message is "abandoned".

I'm using sendmail 8.14.4, spamassassin 3.3.2 on Linux Slackware distro 13.37.0, kernel 2.6.37.6. I am running spamass-milter 0.3.1 as a milter in sendmail.

sendmail has no size limit set.

/etc/mail/spamassassin/spamc.conf has `-s 800000` set as the size limit. Indeed, all messages less that this size are being checked and all messages greater than this size are passed through.

Here's my issue. Spammers apparently know about Spamassassin size limits. I receive spam messages that are just over this 800K-ish limit. These messages fall into two categories: 1) messages with large attachments. For example I have several spam messages with 800+K .jpg attachments.  2) I have several messages with no attachment, but 800+K of gobbledygook, random words, Bible quotes, encyclopedia entries, blog fragments, etc. Of course, these are in there simply to blow past spam check size limits.

In the first case, I would like spamassassin to ignore the size of the attachment and scan the message body (and not the attachment). There are plenty of spam cues in the body to get it trapped.

In the second case, I'd simply like to trap on the message size. No one legitimately sends an 800K email without making an attachment.

What I'd like:

1. Make my spamc.conf messages size essentially unlimited (or very large)

2. In local.cf, make a rule to look at the message body size, excluding attachments, and if the body size is greater than some value, award a high spam-core.

I know how to do #1. Need help with #2.

Also, will spamd skip examination of attachments? Is there a way to make it do that?
0
Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

 
LVL 21

Accepted Solution

by:
robocat earned 500 total points
ID: 40446725
Unfortunately, SA has no concept of attachments. An e-mail is just text and attachments are treated as text. This is the reason why large messages are not scanned: it would require too much CPU.

You'd have to look for (or write) SA plugins to do the stuff you describe. Though I'm not aware of any existing plugins that will do this.

My best guess would be to increase the size limit, say 2MB, provided that you have enough CPU power.

We also have good experiences with Clamav + sanesecurity, which would run before you pass messages to SA and possibly remove some of the stuff you describe.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40449052
robocat: > Unfortunately, SA has no concept of attachments. An e-mail is just text and attachments are treated as text. This is the reason why large messages are not scanned: it would require too much CPU.

Hmmm, that sucks. And of course that's why clever spammers send a 1M+ of garbage attachment - to blow right past spamassassin.

Ok, I  think I'll increase from 800K to 1.1M - that's the largest bloat-spam I've seen. I am running Clamav, but these message don't contain viruses, so they get passed on.

Does Bayes train on attachment content? If so, I'd probably want to somehow exclude these large attachments before handing to sa-learn.
0
 
LVL 21

Expert Comment

by:robocat
ID: 40449181
Sanesecurity is an extra set of signatures for ClamAV and instead of virusses, these recognize certain types of SPAM.  Clam does look into attachments for these signatures. When blocked here, they will not be passed to SA.

I'm not sure about attachments having a negative impact on Bayes.
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 40450470
Thanks! I'll check out sanesecurity
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Apache LDAP Authentication 20 72
Windows 10 linux VM 30 92
VMware machine is not booting 6 129
PartedMagic Secure Erase 14 33
Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question