[Bug 8314] New: spam scoring aborted by unreasonable packet size

Wed, 12 Feb 2025 09:02:52 -0800 

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8314

            Bug ID: 8314
           Summary: spam scoring aborted by unreasonable packet size
           Product: Spamassassin
           Version: 4.0.2
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: spamc/spamd
          Assignee: dev@spamassassin.apache.org
          Reporter: m...@arcabama.com
  Target Milestone: Undefined

This is on a Debian 12 VPS running postfix + spamassassin + dovecot.

I'm seeing log entries like this:

2025-02-12T07:27:09.159579+00:00 hwsrv-901112 postfix/smtpd[81255]: connect
from tor-exit-relay-gelios.space[193.218.118.137]
2025-02-12T07:27:09.161822+00:00 hwsrv-901112 spamd[67159]: spamd: connection
from localhost [127.0.0.1]:49682 to port 783, fd 6
2025-02-12T07:27:39.163085+00:00 hwsrv-901112 spamd[67159]: spamd: timeout: (30
second socket timeout reading input from client)
2025-02-12T07:27:39.165024+00:00 hwsrv-901112 postfix/smtpd[81255]: warning:
milter inet:localhost:783: unreasonable packet length: 1397768525 > 1073741823
2025-02-12T07:27:39.165201+00:00 hwsrv-901112 postfix/smtpd[81255]: warning:
milter inet:localhost:783: read error in initial handshake
2025-02-12T07:27:40.742525+00:00 hwsrv-901112 postfix/smtpd[81255]: Anonymous
TLS connection established from tor-exit-relay-gelios.space[193.218.118.137]:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2025-02-12T07:27:45.343522+00:00 hwsrv-901112 policyd-spf[81307]: : prepend
Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=193.218.118.137;
helo=yahoo.com; envelope-from=i...@iyiou.com; receiver=ardsleyhigh73.com
2025-02-12T07:27:45.355336+00:00 hwsrv-901112 postfix/smtpd[81255]: 568E6CB3:
client=tor-exit-relay-gelios.space[193.218.118.137]
2025-02-12T07:28:00.973016+00:00 hwsrv-901112 postfix/cleanup[81308]: 568E6CB3:
message-id=<22fdb42dd86f454ab9135ab8ec29163ff...@iyiou.com>
2025-02-12T07:28:01.206046+00:00 hwsrv-901112 postfix/qmgr[68948]: 568E6CB3:
from=<i...@iyiou.com>, size=37382, nrcpt=2 (queue active)
2025-02-12T07:28:01.628369+00:00 hwsrv-901112 postfix/smtp[81322]: Untrusted
TLS connection established to
arcabama-com.mail.protection.outlook.com[52.101.194.4]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (secp384r1)
server-signatu>
2025-02-12T07:28:02.325197+00:00 hwsrv-901112 postfix/smtpd[81255]: disconnect
from tor-exit-relay-gelios.space[193.218.118.137] ehlo=2 starttls=1 mail=1
rcpt=1 data=1 quit=1 commands=7
2025-02-12T07:28:03.265008+00:00 hwsrv-901112 postfix/smtp[81322]: 568E6CB3:
to=<m...@arcabama.com>, orig_to=<ad...@ardsleyhigh73.com>,
relay=arcabama-com.mail.protection.outlook.com[52.101.194.4]:25, delay=22,
delays=20/0.08/0.43/1.5, dsn=2.6.0, status=sent (250 2.6.0>
2025-02-12T07:28:03.265595+00:00 hwsrv-901112 postfix/qmgr[68948]: 568E6CB3:
removed

While the targeted email account is simply a forwarder to another one of my
accounts (on a different domain), I don't think that's significant.

The problem is no spam header flags are added to the email when it is
forwarded. I've verified this by examining the headers at the destination.

It looks to me like the spammer is circumventing the spamd/spamassassin review
by specifying an unreasonably large packet size. The message itself is only
about 38KB, far below the claimed packet size.

Is there a way to flag this as spam simply because the packet size is too
large? I didn't see anything like that in the documentation.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to