Mailing List Archive

On Thu, 25 Jul 2002, Matthew Byng-Maddick wrote:

> On Thu, Jul 25, 2002 at 08:08:45AM +0100, Dr Andrew C Aitchison wrote:
> > On 24 Jul 2002, John Horne wrote:
> > > By default SpamAssassin lets through 'large' messages, which by default
> > > are those of 250KB in size.
> > Which idiot dared to put that rule in ?
> > When the spammers bother to work around that rule
> > we are all in real trouble.
>
> No, because your mail server automatically rejects oversize mail, doesn't
> it? If not, you probably deserve to lose anyway.

*I* can set both programs to agree on the maximum mail size,
but if the spammers send the large mail I have to receive that many bytes
before I can reject it.

I had hoped not to mention the "obvious" exploit which will gum up
the internet, but I fear that I wont be understood if I do not.
If spammers can find a message size that many systems allow but don't
spam check they will try to send messages of that size.

--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
A.C.Aitchison@dpmms.cam.ac.uk http://www.dpmms.cam.ac.uk/~werdna

>I had hoped not to mention the "obvious" exploit which will gum up
>the internet, but I fear that I wont be understood if I do not.
>If spammers can find a message size that many systems allow but don't
>spam check they will try to send messages of that size.
>
But the spammers are of limited means as well. Using often times stolen
bandwidth their sending out messages that are 251k instead of the usual
< 10k,
and knowing that bandwidth is usually the only thing that limits them from
sending us more spam, an "exploit" like that would would significantly
reduce the amount of spam that they could send. So even if spamassasin was
popular enough for spammers to try to work around, the cure, for them, would
likely be worse than the ailment. If a spammer really wanted to get around
spamassasin they would download it and simply tailor the messages so that
the only thing that gets tagged are the false headers and avoid scoring any
points for text in the body. This would get through most default configs and
be much more efficient than blowing their most limited resource, bandwidth.


>
>

> likely be worse than the ailment. If a spammer really wanted to get around
> spamassasin they would download it and simply tailor the messages so that
> the only thing that gets tagged are the false headers and avoid scoring
any
> points for text in the body. This would get through most default configs
and
> be much more efficient than blowing their most limited resource,
bandwidth.

http://www.samthecomputerman.com/email.txt

Looks like they already did :)

I just installed version 2.31 of SA today, and it still doesn't trigger it
for that spam:

X-Spam-Status: No, hits=3.3 required=5.0
tests=FROM_NAME_NO_SPACES,PLING,MONEY_BACK,PORN_14,
DATE_IN_PAST_06_12
version=2.31

I guess they're wording stuff more carefully now. But I think 1 spam out of
800 (samthecomputerman.com/sys) is an acceptable false negative. Of course,
I didn't tweak the settings at all...it's out-of-the-box scoring.

-Sam