[Mimedefang] Caching the results of a SpamAssassin scan

Michael Sims michaels at mail3.crye-leike.com
Thu Apr 3 10:39:01 EST 2003 

Quoting Joseph Brennan <brennan at columbia.edu>:

> If you have any detail it would be interesting.

Well, I didn't gather specific empirical evidence.  All I did was keep "top" 
open while I flooded the server with about ~150 messages at a time, and then 
watched the CPU and memory utilization by the mimedefang.pl processes.  With 
SpamAssassin enabled the processes would spike to sometimes 30% utilization and 
remain running for probably 10 seconds (maybe less, I'm guessing).  I then 
disabled the SpamAssassin scan and the CPU usage for the same flood didn't go 
about about 7% and the processes exited very quickly.

> I assumed this was the case, and have excluded some categories
> of mail from going to Spamassassin.
> 
>     $doSA = 0;
>     # Skip SpamAssassin sometimes...
>     #   ...like for mail from localhost (don't bounce our own bounces)
>     undef($doSA) if ($RelayAddr eq "127.0.0.1");

I'm confused about this.  I do something similar (i.e. I do not want to scan 
messages that come from trusted relays) but I determine this inside 
filter_relay.  According to the mimedefang-filter man page, $RelayAddr is not 
available in filter_end, where the SA scan takes place.  I have been checking 
for trusted relays in filter_relay and then writing a 0 byte file 
called "skip_spam_check" in the working directory, then checking for this 
file's existence in filter_end.  I'm doing this because of the warning in the 
mimedefang-filter about maintaining state between subroutines.  If $RelayAddr 
is available in filter_end (I guess I could have checked first) then I'm doing 
all of that for nothing. :)

> > Even though these were all separate SMTP sessions, each message has
> > the exact same message-ID.
> 
> But how much spam is like that?  Was this just the result of your
> test message having that message-ID in it?  It doesn't seem normal
> although some spamware might do it.

Well, let me explain how I generated my test case.  Our current mail server is 
still running alongside the new one, which I'm testing.  I created 20 bogus 
accounts on the current mail server, and 20 bogus accounts on the new mail 
server.  I set all of the accounts on the old server to forward to the 
corresponding ones on the new server.  Then I created a mailing list on the old 
server, and put the addresses of the bogus accounts on the old server in the 
list.  I then flooded that mailing list.

The old mail server saw that all of the recipients were local, so it delivered 
the mail to each one.  Then it processed the forwarding information for each 
bogus user separately, and as a result it opened a separate connection to the 
new mail server to forward the message along, even though each recipient was 
receiving the exact same message.

Yes, I know this is very contrived and not likely to occur to often in actual 
use.  But it got me thinking that perhaps like you said some spamware might try 
this in an effort to get around possible limitations on the number of 
recipients per message.  Rather than connect to a server, issue a MAIL FROM and 
then 100 RCPT TO's in succession, the spamware might run in a loop and send 
each message separately.

It's probably not too likely, but as I said, I was tired last night and 
probably not thinking straight. :)  

___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648  Pager: (901)769-3722
___________________________________________

More information about the MIMEDefang mailing list