On Tue, Jun 11, 2002 at 04:27:40AM -0800, Pete Hanson wrote: | Hi Derrick, | | At 06/10/2002 13:04, Derrick 'dman' Hudson wrote: | >On Mon, Jun 10, 2002 at 10:51:07AM -0800, Pete Hanson wrote: | >| Not true. We're starting to see spam mail with huge attachments. | > | >What sort of attachments? What are the main identifying marks on the | >messages? | | Here's a nice example (I'm not going to include the whole damn thing | unless you really want it - it's a 760k message):
Thanks.
| >Subject: 内斗威武、外斗已成瓮中之鳖
^^^^^^^^^^^^^^^^^^^^^^^^^^
It's not a valid message. No RFC allows 8bit characters in message
headers. Recent postfix snapshots have a strict_7bit_headers option
to reject this sooner (I'm not sure if it is SMTP-time rejection or if
it makes a bounce afterwards). I'm going to create an exim ACL (as
soon as I have time to test/debug it) to do the same thing.
| >Content-Type: text/plain; charset="iso-8859-1"
I didn't know Chinese is a latin1 language.
I think it might be useful for some tests to be made that determine
whether or not the charset setting actually matches the language in
the text. The new language identifying stuff could be used and SA (or
some other utility) could simply iterate over the (useful) charsets
and see which one makes the most sense.
| There are 3 more quoted-printable attachments in the message.
No wonder the thing is so huge -- every single non-english byte
requires 3 bytes, and I think the charset really used is multi-byte.
| If I pass just the first *3.6k* of the message (just the stuff shown
| above), it scores 8 points (only the WHOLE LINE OF YELLING is
| omitted).
Hmm, I just had an idea. To implement this, someone could write a
wrapper script that feeds only the beginning of the message into
spamc. You could then choose, in your LDA, whether to use the wrapper
or spamc directly based on the size of the message.
-D
--
The light of the righteous shines brightly,
but the lamp of the wicked is snuffed out.
Proverbs 13:9
GnuPG key : http://dman.ddts.net/~dman/public_key.gpg
msg06211/pgp00000.pgp
Description: PGP signature
