[Mimedefang] spams slipping by, because they bigger than the SA size cutoff

Gary Funck gary at intrepid.com
Thu Feb 2 10:39:48 EST 2006

> From: Jan Pieter Cornet
> Sent: Thursday, February 02, 2006 12:58 AM
> A .wmv file is a windows media video file, and has nothing to
> do with the .wmf exploits that were recently in the news.

You're right - I wasn't paying attention.  In fact it is likely we
already filter out .wmf files.  I shouldn't have mentioned it,
anyway, because it isn't central to the topic of scanning large

> > Both messages avoided being scanned by SA because they were
> > larger than the 100K limit we currently impose via MdF.
> > 
> > What to do?  I can bump the size limit, or have no limit at all.
> > I could consider building a temporary copy of the message
> > with non text and/or html attachments removed, and feed
> > that to SA, although that sounds a bit complicated and
> > computationally expensive.
> It's a _LOT_ less computationally expensive than letting SA handle
> the binary attachments. Note that SA can use binary attachments
> in some rules (various HTML_IMAGE_* rules, and MIME encoding rules),
> so if you remove them, only remove "big" ones.

Are folks really doing this?  I don't recall MdF having a lot of
mechanism for generating a temp. copy of the message, removing
large parts, reassemblying, and then scanning the temp. copy.
I'm sure that by calling the correct MIME Tools primitives this
could be done, it just seems like it would take a fair amount
of logic.

It might be tempting to simply quarrantine attachments bigger
than 50K (which is a pretty puny attachment) or so, but I
don't think those quarrantined attachments are visible until
the incoming message is reassembled by MdF just before it
is accepted and delivered.

More information about the MIMEDefang mailing list