[Mimedefang] spams slipping by, because they bigger than the SA size cutoff

Gary Funck gary at intrepid.com
Wed Feb 1 18:50:44 EST 2006

I've had a couple of spams drop in my inbox recently,
and at first, I couldn't see how they made it past SA.
I looked at the headers, and to my surprise, the message
hadn't been scanned by Spamassassin(!).  Why?  How?
I looked further, and noticed that one message was 800K
bytes, and the other 140K.  The first had an attached
.wmv file (hopefully not one of _those_ .wmv files, but
I didn't click on it to find out).

Both messages avoided being scanned by SA because they were
larger than the 100K limit we currently impose via MdF.

What to do?  I can bump the size limit, or have no limit at all.
I could consider building a temporary copy of the message
with non text and/or html attachments removed, and feed
that to SA, although that sounds a bit complicated and
computationally expensive.

BTW, a couple of years ago, I experiment with simpiy peeling
off the first N bytes off the front of large messages and
tacking on the last N bytes (where N = approx. 50K).  This
actually worked rather well, modulo the occassional malformed
MIME content.  I could do that, but it is a bit of hack,
and could result in having some valid ham messages mis-filed
as spam, partly because the MIME parts are garbled.


More information about the MIMEDefang mailing list