Re: Discourage broken content
From: Kris Deugau [EMAIL PROTECTED]
John Andersen wrote:
Mailscanner
... or any other mail-handling software...
has no business changing content.
... unless you explicitly configure it to do so. (ATTN: AVG for
Windows POP3/SMTP interface/hook authors, This Means You! Among others.)
Use POP3S. That is MUCH harder to place an AVG man in the middle
rewrite into.
{^_-}
Re: Discourage broken content
John Andersen wrote: Mailscanner ... or any other mail-handling software... has no business changing content. ... unless you explicitly configure it to do so. (ATTN: AVG for Windows POP3/SMTP interface/hook authors, This Means You! Among others.) -kgd
Re: Discourage broken content
Rick Cooper wrote: -Original Message- From: decoder [mailto:[EMAIL PROTECTED] Sent: Friday, August 25, 2006 4:23 PM To: Rick Cooper Cc: users@spamassassin.apache.org Subject: Re: Discourage broken content -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rick Cooper wrote: -Original Message- From: decoder [mailto:[EMAIL PROTECTED] Sent: Friday, August 25, 2006 2:24 PM To: users@spamassassin.apache.org Subject: Re: Discourage broken content -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [...] I've heard that it truncates the mail at 30kb, no matter if that is within a MIME block or not... So my plugin gets a broken image.. though it was not broken originally... That is patently false. I have a graphics design/advertising department at one of my locations and these fellas send huge graphics files back and forth when they have emergency proofs/changes and MailScanner has *never* damaged anything, ever, anywhere. Now, there is a setting for scanning (much like exiscan IIRCC) that allows you to truncate the message and only scan xxx amount, it's optional and doesn't modify the actual message in anyway. Rick I did not say it damages the mail. I said it feds only a given amount of the message to SpamAssassin and THAT breaks plugins requiring the whole message, especially when MailScanner breaks messages in the middle of attachments. And as far as I know, it is the default setting of mailscanner to feed only a given amount of kb to SpamAssassin. That does not mean it truncates the message before delivering it. My apologies, the way I interpreted the original I thought you were saying it truncates the email and breaks they message. I will bring this up on the Mailscanner list that the default, given the recent image spams, should be disabled so the entire message is sent to spam assassin. Before the current spat of image spam you could generally tell within 20k or so if a message was spam or not, this is not the case in today's world and the entire message really should be fed to SA. I have never used the default setting myself. This issue is currently being discussed on the MailScanner users list, under the Subject Max SpamAssassin Size problems. The size limit is configurable (http://www.mailscanner.info/MailScanner.conf.5.html#SpamAssassin Max SpamAssassin Size), so people can raise the size limit or disable it to get around this issue at the moment. There is some concern about removing the limit completely, so the current discussion is about a scheme that checks ahead for a Mime boundary within a fixed window after the max size value is reached. -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw
Re: Discourage broken content
Anthony Peacock writes: Rick Cooper wrote: From: decoder [mailto:[EMAIL PROTECTED] Sent: Friday, August 25, 2006 4:23 PM To: Rick Cooper Cc: users@spamassassin.apache.org Subject: Re: Discourage broken content -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rick Cooper wrote: -Original Message- From: decoder [mailto:[EMAIL PROTECTED] Sent: Friday, August 25, 2006 2:24 PM To: users@spamassassin.apache.org Subject: Re: Discourage broken content -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [...] I've heard that it truncates the mail at 30kb, no matter if that is within a MIME block or not... So my plugin gets a broken image.. though it was not broken originally... That is patently false. I have a graphics design/advertising department at one of my locations and these fellas send huge graphics files back and forth when they have emergency proofs/changes and MailScanner has *never* damaged anything, ever, anywhere. Now, there is a setting for scanning (much like exiscan IIRCC) that allows you to truncate the message and only scan xxx amount, it's optional and doesn't modify the actual message in anyway. Rick I did not say it damages the mail. I said it feds only a given amount of the message to SpamAssassin and THAT breaks plugins requiring the whole message, especially when MailScanner breaks messages in the middle of attachments. And as far as I know, it is the default setting of mailscanner to feed only a given amount of kb to SpamAssassin. That does not mean it truncates the message before delivering it. My apologies, the way I interpreted the original I thought you were saying it truncates the email and breaks they message. I will bring this up on the Mailscanner list that the default, given the recent image spams, should be disabled so the entire message is sent to spam assassin. Before the current spat of image spam you could generally tell within 20k or so if a message was spam or not, this is not the case in today's world and the entire message really should be fed to SA. I have never used the default setting myself. This issue is currently being discussed on the MailScanner users list, under the Subject Max SpamAssassin Size problems. The size limit is configurable (http://www.mailscanner.info/MailScanner.conf.5.html#SpamAssassin Max SpamAssassin Size), so people can raise the size limit or disable it to get around this issue at the moment. There is some concern about removing the limit completely, so the current discussion is about a scheme that checks ahead for a Mime boundary within a fixed window after the max size value is reached. I'm sure they know this -- but there are dangers there too. It's pretty trivial in HTML to craft a MIME part that contains 100 KB of innocent-looking HTML, followed by 4 KB of spam payload, where the payload is the only part that's visible. Length truncation for non-text/plain data is very tricky -- that's why we don't use it in SpamAssassin itself ;) --j.
Re: Discourage broken content
Justin Mason wrote: Anthony Peacock writes: Rick Cooper wrote: From: decoder [mailto:[EMAIL PROTECTED] Sent: Friday, August 25, 2006 4:23 PM To: Rick Cooper Cc: users@spamassassin.apache.org Subject: Re: Discourage broken content -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rick Cooper wrote: -Original Message- From: decoder [mailto:[EMAIL PROTECTED] Sent: Friday, August 25, 2006 2:24 PM To: users@spamassassin.apache.org Subject: Re: Discourage broken content -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [...] I've heard that it truncates the mail at 30kb, no matter if that is within a MIME block or not... So my plugin gets a broken image.. though it was not broken originally... That is patently false. I have a graphics design/advertising department at one of my locations and these fellas send huge graphics files back and forth when they have emergency proofs/changes and MailScanner has *never* damaged anything, ever, anywhere. Now, there is a setting for scanning (much like exiscan IIRCC) that allows you to truncate the message and only scan xxx amount, it's optional and doesn't modify the actual message in anyway. Rick I did not say it damages the mail. I said it feds only a given amount of the message to SpamAssassin and THAT breaks plugins requiring the whole message, especially when MailScanner breaks messages in the middle of attachments. And as far as I know, it is the default setting of mailscanner to feed only a given amount of kb to SpamAssassin. That does not mean it truncates the message before delivering it. My apologies, the way I interpreted the original I thought you were saying it truncates the email and breaks they message. I will bring this up on the Mailscanner list that the default, given the recent image spams, should be disabled so the entire message is sent to spam assassin. Before the current spat of image spam you could generally tell within 20k or so if a message was spam or not, this is not the case in today's world and the entire message really should be fed to SA. I have never used the default setting myself. This issue is currently being discussed on the MailScanner users list, under the Subject Max SpamAssassin Size problems. The size limit is configurable (http://www.mailscanner.info/MailScanner.conf.5.html#SpamAssassin Max SpamAssassin Size), so people can raise the size limit or disable it to Agreed get around this issue at the moment. There is some concern about removing the limit completely, so the current discussion is about a scheme that checks ahead for a Mime boundary within a fixed window after the max size value is reached. I'm sure they know this -- but there are dangers there too. It's pretty trivial in HTML to craft a MIME part that contains 100 KB of innocent-looking HTML, followed by 4 KB of spam payload, where the payload is the only part that's visible. Length truncation for non-text/plain data is very tricky -- that's why we don't use it in SpamAssassin itself ;) Agreed! My personal suggestion was when the configured limit was reached, roll _back_ to the starting MIME boundary. This honoured the Admins configured Maximum SA Size setting but didn't pass any truncated images to SA that may then cause problems with the various image plugins. But the debate is still underway, so I better pop back there to keep an eye on things. I just wanted to pop up here to let people know that the MS list is aware of this issue and discussing ways to make life better for all concerned. :-) -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw
Re: Discourage broken content
--On Tuesday, August 29, 2006 9:41 AM +0100 Anthony Peacock [EMAIL PROTECTED] wrote: This issue is currently being discussed on the MailScanner users list, under the Subject Max SpamAssassin Size problems. Which can be found here: http://lists.mailscanner.info/pipermail/mailscanner/ 2006-August/thread.html
Re: Discourage broken content
--On Tuesday, August 29, 2006 9:58 AM +0100 Justin Mason [EMAIL PROTECTED] wrote: I'm sure they know this -- but there are dangers there too. It's pretty trivial in HTML to craft a MIME part that contains 100 KB of innocent-looking HTML, followed by 4 KB of spam payload, where the payload is the only part that's visible. Rather than specify the limit for objects to be passed to SA, how about rejecting anything that you consider too big for your scanner? You could do this on a part-type-basis, so that binaries (ie. images) get a bigger size allowance than text (including HTML).
Re: Discourage broken content
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kenneth Porter wrote: --On Friday, August 25, 2006 12:05 AM -0700 Plenz [EMAIL PROTECTED] wrote: I disagree. To check out what happens I converted a JPG picture into a GIF file and sent it to myself. One time I converted it with IrfanView and the second time with PaintShop Pro. Both GIF files had the result giftopnm: EOF or error reading data portion... So I produced a corrupt (?) image, but it was not spam. I think we should discourage all broken content in email and on the web. At one time we could assume that broken content was an honest mistake and make an attempt at fixing it. But with the rise of malicious content attempting to exploit bugs in content handlers (like overruns in image libraries), we should simply reject anything that fails to pass validation, on the assumption that's it out to get us. This includes not just broken images but also broken HTML, which is so commonly used to conceal spam. We need to stop giving a free pass to broken content creation software just because it's popular. When someone sends you broken content, you should react the same way you would if they sent you documents on dirt-smeared paper. Stop letting your emperor walk around naked. I completely agree, the problem is, some implementations makes this impossible. For example MailScanner. I've heard that it truncates the mail at 30kb, no matter if that is within a MIME block or not... So my plugin gets a broken image.. though it was not broken originally... Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE705eJQIKXnJyDxURAiGZAJ4q2f5KIxWjrYN3U6vB4kFhLbZ2igCfVM1l n13w21PXoSH7IethDVc3uio= =IWPe -END PGP SIGNATURE-
Re: Discourage broken content (was: Broken images in mails)
On Friday 25 August 2006 11:20, Kenneth Porter wrote: We need to stop giving a free pass to broken content creation software just because it's popular. When someone sends you broken content, you should react the same way you would if they sent you documents on dirt-smeared paper. Stop letting your emperor walk around naked. Actually there is very little broken content IMAGE software out there in any modern mailer, even microsoft crapware does not break images. The image corruption is intentional, and may be malicious (not JUST spam). So I agree with you there. Broken html is another issue, because there is broken, and there is simply lame (lazy) html. Which of the several versions of the standards are you going to impose? The agreed upon standards? or the defacto ones? -- _ John Andersen pgpqrnYNR3Yfg.pgp Description: PGP signature
Re: Discourage broken content
On Friday 25 August 2006 11:24, decoder wrote: I've heard that it truncates the mail at 30kb, no matter if that is within a MIME block or not... So my plugin gets a broken image.. though it was not broken originally... How better to get that fixed than to put them on notice, and start tagging based on the mere fact that the image is broken. Mailscanner has no business changing content. -- _ John Andersen pgpBa2MfS7p4K.pgp Description: PGP signature
Re: Discourage broken content
From: decoder [EMAIL PROTECTED] To: users@spamassassin.apache.org Subject: Re: Discourage broken content Date: Fri, 25 Aug 2006 21:24:14 +0200 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kenneth Porter wrote: --On Friday, August 25, 2006 12:05 AM -0700 Plenz [EMAIL PROTECTED] wrote: I disagree. To check out what happens I converted a JPG picture into a GIF file and sent it to myself. One time I converted it with IrfanView and the second time with PaintShop Pro. Both GIF files had the result giftopnm: EOF or error reading data portion... So I produced a corrupt (?) image, but it was not spam. I think we should discourage all broken content in email and on the web. At one time we could assume that broken content was an honest mistake and make an attempt at fixing it. But with the rise of malicious content attempting to exploit bugs in content handlers (like overruns in image libraries), we should simply reject anything that fails to pass validation, on the assumption that's it out to get us. This includes not just broken images but also broken HTML, which is so commonly used to conceal spam. We need to stop giving a free pass to broken content creation software just because it's popular. When someone sends you broken content, you should react the same way you would if they sent you documents on dirt-smeared paper. Stop letting your emperor walk around naked. I completely agree, the problem is, some implementations makes this impossible. For example MailScanner. I've heard that it truncates the mail at 30kb, no matter if that is within a MIME block or not... So my plugin gets a broken image.. though it was not broken originally... Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE705eJQIKXnJyDxURAiGZAJ4q2f5KIxWjrYN3U6vB4kFhLbZ2igCfVM1l n13w21PXoSH7IethDVc3uio= =IWPe -END PGP SIGNATURE- Could somebody explain to me the reason why MailScanner acts this way? A good question could be decide if you adapt this plugin to be compatible with MailScanner or tha last one should change this practice. IMHO, any kind of information included into an email could be revised but shouldn't be transformed. greetings Enediel
RE: Discourage broken content (was: Broken images in mails)
I think we should discourage all broken content in email and on the web. But who is to decide what is broken. Just because giftext/giffix/gocr/etc. fail to parse it, doesn't necessarily mean it's broken. The software may be buggy (note the patches on the download page needed to make these utilities work properly with legitimate images). Howard
Re: Discourage broken content (was: Broken images in mails)
On Friday 25 August 2006 11:33, Kash, Howard (Civ, ARL/CISD) wrote: I think we should discourage all broken content in email and on the web. But who is to decide what is broken. Just because giftext/giffix/gocr/etc. fail to parse it, doesn't necessarily mean it's broken. Yes, by definition, it DOES mean its broken. -- _ John Andersen pgpqkudEyt5sv.pgp Description: PGP signature
RE: Discourage broken content (was: Broken images in mails)
Yes, by definition, it DOES mean its broken. So when then giftext author made an error in assuming every image would have a global colormap, he redefined the GIF specification so that any that don't are no longer valid? Howard
RE: Discourage broken content
Could somebody explain to me the reason why MailScanner acts this way? A good question could be decide if you adapt this plugin to be compatible with MailScanner or tha last one should change this practice. As a resource/denial of service protection mechanism. If someone starts feeding you 10MB messages and spamassassin has to run all of its regular expression checks, etc. on the full content of every message, your server would die. Or consider sites the have lots of messages with huge PowerPoint attachments. SPAM messages are rarely very big, so it's actually a nice feature - until you want to use plugins like FuzzyOCR that need full content. Howard
Re: Discourage broken content
On Fri, 25 Aug 2006, enediel gonzalez wrote: From: decoder [EMAIL PROTECTED] Kenneth Porter wrote: I completely agree, the problem is, some implementations makes this impossible. For example MailScanner. I've heard that it truncates the mail at 30kb, no matter if that is within a MIME block or not... So my plugin gets a broken image.. though it was not broken originally... Yes, if you leave the default Max SpamAssassin Size = 3 setting in place, it will do this. Could somebody explain to me the reason why MailScanner acts this way? Performance. The theory, I think, is that if a message is spam, there should be some evidence of that in the first 3 bytes, so there is no need to pass the whole message to SpamAssassin. I think this was a good assumption and a good plan when SpamAssassin didn't check a lot of attachments. Now that there are plugins which do check attachments, leaving the MIME structure of the message intact is more important, but MailScanner hasn't caught up with this reality. Of course, you can always just remove the limitation by changing the MailScanner configuration file. A good question could be decide if you adapt this plugin to be compatible with MailScanner or tha last one should change this practice. MailScanner calls SpamAssassin, so no adaptation needed in most cases. Unless you are talking about workarounds for issues like the above. - Logan
Re: Discourage broken content
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Logan Shaw wrote: On Fri, 25 Aug 2006, enediel gonzalez wrote: From: decoder [EMAIL PROTECTED] Kenneth Porter wrote: I completely agree, the problem is, some implementations makes this impossible. For example MailScanner. I've heard that it truncates the mail at 30kb, no matter if that is within a MIME block or not... So my plugin gets a broken image.. though it was not broken originally... Yes, if you leave the default Max SpamAssassin Size = 3 setting in place, it will do this. Could somebody explain to me the reason why MailScanner acts this way? Performance. The theory, I think, is that if a message is spam, there should be some evidence of that in the first 3 bytes, so there is no need to pass the whole message to SpamAssassin. I think this was a good assumption and a good plan when SpamAssassin didn't check a lot of attachments. Now that there are plugins which do check attachments, leaving the MIME structure of the message intact is more important, but MailScanner hasn't caught up with this reality. I heard that a proposal on letting the MIME structure intact has been made... so at least if the message was truncated, it wouldn't be truncated in the middle of an attachment (which would make absolutely no sense, either you truncate before or after the attachment, a broken attachment doesnt help anyone and will only cause unnecessary errors) Chris Of course, you can always just remove the limitation by changing the MailScanner configuration file. A good question could be decide if you adapt this plugin to be compatible with MailScanner or tha last one should change this practice. MailScanner calls SpamAssassin, so no adaptation needed in most cases. Unless you are talking about workarounds for issues like the above. - Logan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE71X+JQIKXnJyDxURAnGdAKC2aHFPzyX8lFhhsoSsrIgl+ci6QgCeJO4q 58fKQR01gJE0I/0P2Zpdprw= =MU3c -END PGP SIGNATURE-
Re: Discourage broken content (was: Broken images in mails)
On Friday 25 August 2006 11:40, Kash, Howard (Civ, ARL/CISD) wrote: Yes, by definition, it DOES mean its broken. So when then giftext author made an error in assuming every image would have a global colormap, he redefined the GIF specification so that any that don't are no longer valid? One presumes adherence to the standard. If the image does not adhere to the standards for gif then it is broken. These are easily seen to be broken with any standard gif viewer, usually with trash along the bottom edge. You are addressing a temporal problem, in a beta product, and using that developmental shortcoming as a justification for allowing broken image in mail. -- _ John Andersen pgpbYP09mKPsY.pgp Description: PGP signature
RE: Discourage broken content
-Original Message- From: decoder [mailto:[EMAIL PROTECTED] Sent: Friday, August 25, 2006 2:24 PM To: users@spamassassin.apache.org Subject: Re: Discourage broken content -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kenneth Porter wrote: --On Friday, August 25, 2006 12:05 AM -0700 Plenz [EMAIL PROTECTED] wrote: I disagree. To check out what happens I converted a JPG picture into a GIF file and sent it to myself. One time I converted it with IrfanView and the second time with PaintShop Pro. Both GIF files had the result giftopnm: EOF or error reading data portion... So I produced a corrupt (?) image, but it was not spam. I think we should discourage all broken content in email and on the web. At one time we could assume that broken content was an honest mistake and make an attempt at fixing it. But with the rise of malicious content attempting to exploit bugs in content handlers (like overruns in image libraries), we should simply reject anything that fails to pass validation, on the assumption that's it out to get us. This includes not just broken images but also broken HTML, which is so commonly used to conceal spam. We need to stop giving a free pass to broken content creation software just because it's popular. When someone sends you broken content, you should react the same way you would if they sent you documents on dirt-smeared paper. Stop letting your emperor walk around naked. I completely agree, the problem is, some implementations makes this impossible. For example MailScanner. I've heard that it truncates the mail at 30kb, no matter if that is within a MIME block or not... So my plugin gets a broken image.. though it was not broken originally... That is patently false. I have a graphics design/advertising department at one of my locations and these fellas send huge graphics files back and forth when they have emergency proofs/changes and MailScanner has *never* damaged anything, ever, anywhere. Now, there is a setting for scanning (much like exiscan IIRCC) that allows you to truncate the message and only scan xxx amount, it's optional and doesn't modify the actual message in anyway. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Discourage broken content
On Friday 25 August 2006 12:10, Rick Cooper wrote: That is patently false. I have a graphics design/advertising department at one of my locations and these fellas send huge graphics files back and forth when they have emergency proofs/changes and MailScanner has *never* damaged anything, ever, anywhere. Now, there is a setting for scanning (much like exiscan IIRCC) that allows you to truncate the message and only scan xxx amount, it's optional and doesn't modify the actual message in anyway. Yes, Rick, that is correct, but the situation under discussion is that mailscanner passes a partial file to the spamassassin proceess, which in turn passes that partial file to the image analysis plugins, which decide that the image is broken. Upon being passed by spamassassin, the entire, unchanged mail is sent on its way intact by mailscanner. Amavis-New does something similar. Shreds mail into pieces, launches scanners on the pieces. The problem is that the spam scanner (and presumably virus scanner) plugins are being handed partial files. Not a good practice in my view. -- _ John Andersen pgpqgyuWogszM.pgp Description: PGP signature
Re: Discourage broken content
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rick Cooper wrote: -Original Message- From: decoder [mailto:[EMAIL PROTECTED] Sent: Friday, August 25, 2006 2:24 PM To: users@spamassassin.apache.org Subject: Re: Discourage broken content -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kenneth Porter wrote: --On Friday, August 25, 2006 12:05 AM -0700 Plenz [EMAIL PROTECTED] wrote: I disagree. To check out what happens I converted a JPG picture into a GIF file and sent it to myself. One time I converted it with IrfanView and the second time with PaintShop Pro. Both GIF files had the result giftopnm: EOF or error reading data portion... So I produced a corrupt (?) image, but it was not spam. I think we should discourage all broken content in email and on the web. At one time we could assume that broken content was an honest mistake and make an attempt at fixing it. But with the rise of malicious content attempting to exploit bugs in content handlers (like overruns in image libraries), we should simply reject anything that fails to pass validation, on the assumption that's it out to get us. This includes not just broken images but also broken HTML, which is so commonly used to conceal spam. We need to stop giving a free pass to broken content creation software just because it's popular. When someone sends you broken content, you should react the same way you would if they sent you documents on dirt-smeared paper. Stop letting your emperor walk around naked. I completely agree, the problem is, some implementations makes this impossible. For example MailScanner. I've heard that it truncates the mail at 30kb, no matter if that is within a MIME block or not... So my plugin gets a broken image.. though it was not broken originally... That is patently false. I have a graphics design/advertising department at one of my locations and these fellas send huge graphics files back and forth when they have emergency proofs/changes and MailScanner has *never* damaged anything, ever, anywhere. Now, there is a setting for scanning (much like exiscan IIRCC) that allows you to truncate the message and only scan xxx amount, it's optional and doesn't modify the actual message in anyway. Rick I did not say it damages the mail. I said it feds only a given amount of the message to SpamAssassin and THAT breaks plugins requiring the whole message, especially when MailScanner breaks messages in the middle of attachments. And as far as I know, it is the default setting of mailscanner to feed only a given amount of kb to SpamAssassin. That does not mean it truncates the message before delivering it. Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE71wLJQIKXnJyDxURAtxUAJ9/O5F4cC/1vlsE6EsRb6vLcepH+ACfcTCA x4CmnLDyZbUFtAr2kWK9koY= =Ckpc -END PGP SIGNATURE-
RE: Discourage broken content
-Original Message- From: John Andersen [mailto:[EMAIL PROTECTED] Sent: Friday, August 25, 2006 4:20 PM To: users@spamassassin.apache.org Subject: Re: Discourage broken content On Friday 25 August 2006 12:10, Rick Cooper wrote: That is patently false. I have a graphics design/advertising department at one of my locations and these fellas send huge graphics files back and forth when they have emergency proofs/changes and MailScanner has *never* damaged anything, ever, anywhere. Now, there is a setting for scanning (much like exiscan IIRCC) that allows you to truncate the message and only scan xxx amount, it's optional and doesn't modify the actual message in anyway. Yes, Rick, that is correct, but the situation under discussion is that mailscanner passes a partial file to the spamassassin proceess, which in turn passes that partial file to the image analysis plugins, which decide that the image is broken. Upon being passed by spamassassin, the entire, unchanged mail is sent on its way intact by mailscanner. Amavis-New does something similar. Shreds mail into pieces, launches scanners on the pieces. The problem is that the spam scanner (and presumably virus scanner) plugins are being handed partial files. Not a good practice in my view. I misunderstood what decoder was saying. And no, MailScanner doesn't give the virus scanners partial messages. In fact it goes to great pains to completely unpack all attachments (including tnef) and sanitize the file names, etc. The option to give partial messages to SA is due in part to the historical lack of need to hand a large message to SA to determine ham/spam and there are/were vulnerabilities in the tnef processing that could be exploited by very large tnef attachments. Mailscanner currently handles tnef in a way I doubt there would be a problem and can in fact (optionally) decode tnef attachments and recreate them as standard attachments that any mail client can handle. In any event I plan to bring this up on the MailScanner list and suggest the default behavior should no longer be handing only a part of the message to SA. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
