On Wed, Feb 26, 2003 at 07:20:48PM +1300, Christopher Sawtell wrote: > On Tue, 25 Feb 2003 11:30, Hamish McBrearty wrote: > > How do I add Spamassassin to the mix to help filter out the crap I get? > > I've searched on this and can't seem to find anything simple, or anything > > that doesn't involve Sendmail. > > Before we all install SA, it would be a good idea to look at this:- > http://marc.theaimsgroup.com/?%7C=bugtraq&m=104342896818777&w=2 > It says, in part:- > > Attacker may be able to execute arbitrary code by sending a specially > crafted e-mail to a system using SpamAssassin's spamc program in BSMTP mode > (-B option). Versions from 2.40 to 2.43 are affected.
Thanks for the headsup Chris. Luckily, this won't affect anyone using 'spamassassin' in their procmail configs. spamassassin itself is a big perl script, and as such has a reasonably large system footprint, and takes time to get started. This overhead isn't too important for just one user's email, even if they subscribe to CLUG :-) but it would be significant if your mail server was looking after a lot of users/email. Say more than about 2 a second, sustained? If so, you can choose to keep spamassassin running all the time (spamd), so the startup overhead happens only once, and then just use the very small spamc program to go and talk to it, returning the results as usual. Once you've thought about setting that up, the next thought is related to the question about bounce messages, earlier in this thread. If spam checking is now "easy" in terms of system resources, why don't we just check everything that comes through, no matter who it is for? Just ask the mail server itself to do the checking - that way, if the message seems to be spam, we can reject it completely, and tell the system sending the mail that we don't want it. That would save us the trouble of having to work out where to deliver something that no-one wants! If you do that, you begin to be potentially vulnerable to the buffer overflow problem in the bugtraq mailing you referenced. If you accept batched SMTP traffic. I don't believe that many people do that by default, but I'm not current on the Postfix settings on Linux distributions. Timo's message points out that many examples for using SpamAssassin with the Exim MTA enable BSMTP traffic. It's even in the O'Reilly Exim book in the examples for running a virus checker! Well, my system (which is a high traffic machine with multiple users) runs Exim, and spamd. We don't invoke spamc from within the MTA, so we're not going to be tickled by this bug. We are going to be implementing a mailscanner of some sort, but we have to wait until we've figured out how to keep per-(virtual)-domain configs and preferences in either our LDAP or SQL db. So it's worth knowing about this concern! -jim > . > Patch is in URL. > > -- > C. S. > > >
