Opened 10 years ago

#530 new enhancement

Truncate large mail items for spam-checking purposes

Reported by: rjl@… Owned by: rjl
Priority: normal Milestone:
Component: amavisd-maia Version: 1.0.2
Severity: normal Keywords: $sa_mail_body_size_limit truncate SpamAssassin
Cc:

Description

Currently SpamAssassin is bypassed when mail items are larger than $sa_mail_body_size_limit bytes in order to conserve system resources. As the average size of spam becomes larger over the years this allows more spam to slip past filters without being inspected. Rather than continually increasing $sa_mail_body_size_limit and asking site admins to keep increasing the hardware resources for their Maia systems, it might make more sense to simply truncate the email at $sa_mail_body_size_limit bytes and submit only that first portion to SpamAssassin.

The headers and the initial text/* MIME parts are the ones that SpamAssassin needs to examine, after all, whereas large encoded binary attachments offer nothing of value to a spam filter (though they need to be examined in their entirety by virus scanners of course).

There is a potential risk, however, that specially-crafted emails could take advantage of this to evade filtering. Such an email would only have to structure itself with a massive non-text MIME part first, such that the truncation point is reached before any text MIME parts occur. This is highly non-standard however (MIME structure conventions dictate that text parts occur before non-text parts), and would in and of itself be a spam signature. Headers and of course the mandatory text/plain portion of the body (for mail readers that can't process MIME structures) will always be first in any case, so this kind of filter evasion tactic would not be particularly useful to a spammer.

Change History (0)

Note: See TracTickets for help on using tickets.