> IMO, bugs which allow any specially crafted spammy message to get
> through, even if the method used is to crash spamd or stand-alone SA,
> is NOT a security bug, provided the only damage is to SA/spamd and the
> resulting FN. That's a bug, pure and simple, no matter how creative
> the spammer is.
As an outside opinion I think I'd differ slightly here.
If the message is capable of crashing or locking up part of the SA chain, so
that the result is either no mail gets through or all subsequent mail gets
through unscanned, then I'd classify it as a private bug for discussion
purposes, and I'd also give it a number 1A1 priority rating for getting a
patch out for the affected versions.
I think I might do this even after a public *detailed, with example* report
of the method, but that is debatable. I would certianly be inclined to
classify the example until a fix was available.
OTOH, if the message simply results in an FN for whatever reason, but
doesn't affect subsequent processing or server load unacceptably, then it is
NOT a security bug.
Loren
