On 7/20/2010 10:46 PM, Gnanam wrote:
Ted Mittelstaedt-2 wrote:
Generally, no. SA skips messages that are larger than a size that you
set in the config file. Most attachments are larger than that size.
Obviously if you have a really small attachment then it will scan it.
Thanks for that update.
Assuming my use case need to do test/scan on attachments as well, thereby I
set a large size in the config file, say 5 MB for example. I also
understand that it will take few more seconds to test/scan.
How does SA scan binary attachments like .doc, .docx, .rtf, .xls, .zip, etc.
in that case?
It doesn't. At least, not like what you are thinking.
As you know an encoded attachment is a series of lines like:
XXHUBKJVHLSJFWSJNDL:SANFKJHSBFSLJRWKSBF
DSKJNBFSHNF:LSJFLKSNFLKJSBFLK:SNFLKSNFS
FJSHBFLKSHNFLKNSFL:SF:LSNFLKSNFLK:SNFL:
KFSLKHFDSHNFKDNFLDKNFLKDNFLKJHDBIAVFBUB
SA scans that. Of course, there is nothing there that matches
anything.
Your thinking SA works like for example clamav. clamav takes the
attachments, mimedecodes them, then unzips them (or unrars them
or whatever) then scans the decoded, extracted, result. SA does not
do this.
This is why spammers tried hiding spams in graphic images. (URLs
and such) Of course, since it was a URL in a graphic image there
wasn't anything for the dumb users to click on that would send them
off to some compromised website. So even the stupidest spammers
finally figured out that that trick, while bypassing SA, also
made the spams equally unusable to the victims they were trying
to nail.
Ted
