Matt Kettler writes: > Justin Mason wrote: > > Theo Van Dinter writes: > > > >> It depends on your SA version. It used to be 256k, but apparently 3.2 > >> upped it to 500k. > >> > >>> not be an issue. These messages are well below 256M. milter-spamc > >>> only sends down the first 64K of the message in fact. > >>> > >> Wow, that would be pretty broken IMO. > > > > Strongly agreed. It's trivial for spammers to rewrite HTML email to > > contain innocuous content for the first 64K, 128K, 2M or whatever, > > then replace it with spammy content, using CSS. > > Well, I agree, but it is also pretty easy for them to send messages over > 64k, 128, 256k, whatever in order to bypass scanning entirely, as spamc > does. This IMO, is actually worse as they're now guaranteed to not be > tagged as spam. At least with truncation you get header scanning, and > possibly some useful body scanning. Both suck, and are easily abused by > spammers, but at least truncation isn't a sure-fire whitelist. > > Of course, truncation has its negative side effects as well, like FPs on > missing mime boundaries, etc, but strictly from the perspective of > spammers "stuffing" their mail, the existing spamc behavior is worse.
OK, truncation might be a better policy, as long as the threshold is nearer what we use now -- 500KB rather than 64KB. ;) By the way, an explanation of the current policy: We can say with that only messages below a high-enough threshold should be scanned, and have a good degree of certainty that this will allow us to avoid crazy memory consumption/slow scan times/etc., while allowing through only 0.001% of spam. This works, because spammers need to be able to send out a certain number of spam messages per day as part of their economic model, and this is partly bottlenecked by the size of each message; increasing the average size of their spams from 7KB (my current avg spam size) to 600KB to evade SpamAssassin's limits, for example, means that their spam output would drop to 1.1% of what it was previously. (Mind you, certain subsets of spammers, such as the japanese-language porn spammers, seem to send larger messages, probably since they're not as concerned with volumes.) --j.
