Literally, Mega-Spam. I just got a spam with 1MB of images.
My suggestion has been made before, but I would like to ask that it now be taken a bit more seriously. SA needs an option to allow efficient 'partial' scanning of large e-mails, so that, for example, we can peform all the valuable header checks, and maybe even scan for URIBL hits within the first few hundred K of the body?
Is it possible (and easy!) to set a flag that tells SA to stop testing aganist the body when it reaches a certain byte count.... Or perhaps, if I understand the docs correctly, most rules only trigger on textual message parts anyway, so by simply disabling 'full' rules and possbily 'rawbody', we could get the desired result without too much of a processing hit?
- C
