Re: Fwd: Huge header detection

Ian Eiloart Mon, 09 Feb 2009 02:36:13 -0800


--On 7 February 2009 02:36:36 -0200 Carlos Horowicz 
<carlos.horow...@gmail.com> wrote:


> I'm wondering what to do in a live system with may be hundreds of
> thousands of these strange e-mails already in users´ mailboxes,
>
> Should imapd be patched so that it just ignores the repetitions , both
> when building cyrus.cache and when it returns the headers to a client
> ? or should imapd really modify the original e-mail by stripping
> unnecessary/illegal headers and store a cleaned-up version ?

It shouldn't be modifying messages. It should handle such messages 
elegantly. Ignoring repetitions (beyond a threshold of repeats) seems the 
most sensible option. However, failing to report them to a client could 
cause confusion, so a threshold should be reasonably high. Of course some 
headers are supposed to have multiple instances...

Alerting the system administrator to the existence of such bogus messages 
seems like a good idea, too. Perhaps through the logging system.

If you don't want a particular message in the system, then it should not be 
accepted by LMTP or by any IMAP message creation mechanism.

> Regards,
>
> Carlos
>
> On Fri, Feb 6, 2009 at 9:02 PM, Bron Gondwana <br...@fastmail.fm> wrote:
>> On Fri, Feb 06, 2009 at 04:34:39PM -0200, Carlos Horowicz wrote:
>>> Hi there,
>>>
>>> postfix author suggested me to post here following issue :
>>>
>>> we received a spam that bypassed all controls and consisted of a huge
>>> header (4M) , repeating these four lines 31.000 times (chaning only
>>> the Reply-To):
>>>
>>> MIME-Version: 1.0
>>> Content-type: text/html; charset=iso-8859-1
>>> From: Magaly <ver...@club.com>
>>> Reply-To: fdsafdsaf...@xxxxxx
>>
>> Oh yeah!  I just recreated this on my testbed here (copying that and
>> appending a number from 1 to 31000 after the address part of the reply
>> to)
>>
>> Gosh!
>>
>> Here's a segment of the cyrus.cache file:
>>
>>  (("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>>  "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>>  "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.co m")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "ver ano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Mag aly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "cl ub.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>>  "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>>  "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>>  "club.com") ("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano " "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly " NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club. com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "v erano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("M agaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "
>> club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" N IL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com ")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "vera no"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Maga ly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "clu b.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")( "Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>>  "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>>  "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>>  "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>>  "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>>
>> -rw------- 1 cyrus mail 5446660 Feb  6 17:58 cyrus.cache
>>
>> That's pretty much all just this one email.
>>
>> It looks like Cyrus needs not only a "maximum number of headers to cache"
>> but a "maximum number of instances of each header"!
>>
>> Bron.
>>
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html



-- 
Ian Eiloart
IT Services, University of Sussex
x3148
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Re: Fwd: Huge header detection

Reply via email to