[Mimedefang] spams slipping by, because they bigger than the SA size cutoff

[Jan Pieter Cornet]

On Wed, Feb 01, 2006 at 03:50:44PM -0800, Gary Funck wrote:
> I've had a couple of spams drop in my inbox recently,
> and at first, I couldn't see how they made it past SA.
> I looked at the headers, and to my surprise, the message
> hadn't been scanned by Spamassassin(!).  Why?  How?
> I looked further, and noticed that one message was 800K
> bytes, and the other 140K.  The first had an attached
> .wmv file (hopefully not one of _those_ .wmv files, but
> I didn't click on it to find out).

A .wmv file is a windows media video file, and has nothing to
do with the .wmf exploits that were recently in the news.

> Both messages avoided being scanned by SA because they were
> larger than the 100K limit we currently impose via MdF.
> 
> What to do?  I can bump the size limit, or have no limit at all.
> I could consider building a temporary copy of the message
> with non text and/or html attachments removed, and feed
> that to SA, although that sounds a bit complicated and
> computationally expensive.

It's a _LOT_ less computationally expensive than letting SA handle
the binary attachments. Note that SA can use binary attachments
in some rules (various HTML_IMAGE_* rules, and MIME encoding rules),
so if you remove them, only remove "big" ones.

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet