On 6/8/2016 1:20 PM, John Hardin wrote:
On Wed, 8 Jun 2016, Mark London wrote:
Hi - We received an email with several large postscript attachments,
and the content type was "text/plain". This caused our spamassassin
server to use up 100% CPU, parsing the attachments as text. I
temporarily disabled spam scanning to allow the message to go
through. How can I prevent this in the future? I know about the
time limit feature, but this doesn't prevent the server from running
100% of the time, before the time limit is reached. Any suggestions?
Thanks. - Mark
Content-Transfer-Encoding: base64
Content-Type: text/plain;
name=OTBW_3D_256_ngtot100_de03_coll_dissip_1248.ps
Content-Disposition: attachment;
filename=OTBW_3D_256_ngtot100_de03_coll_dissip_1248.ps
Do you have something that could catch text/plain + *.ps before SA get
handed the message (e.g. a regex milter or other test)?
I'm using MIMEDefang. I haven't looked to see what I could do with
that. I've been running spamassassin for more years than I remember,
and this is the first time I've encountered this situation.
Someone else asked about my file size limit. I know that for a 512K
postscript file as text/plain, that it takes up 100% of the CPU of one
process, for about 1 minute. But I have a much larger file size limit,
which I've increased over the years, in response to spam that we've
received here.
I believe the problem has always been there, but it's rarely been abused
like this. I can't think of a proper solution. I guess maybe I'll
just hope it never happens again. :) - Mark
