Alex wrote: > What settings do people typically have these days for the maximum > scanned message size? Surprisingly, at least to me, I'm seeing spam in > the 650k and 700k range, at least a few per hour, and are not scanned. > > Does anyone have any suggestions for optimizing the process for spam > containing just a large image that would therefore bypass the typical > scanning? Should I be scanning messages that large, then?
Depends on your available CPU resources. If you always have a low load average, you can scan larger messages. My production deployment is such a workhorse that I've got it set to 1.1MB. My general advice is that since many spammers will check against a default SA scan before blasting out their messages, you want something slightly larger than whatever the default is (actually, in the event that it has changed between versions, something slightly larger than the largest default SA has ever shipped with). Maybe somebody who knows the innards better can comment on how quickly and efficiently SA can ignore non-text attachments (for those of use who don't try to decode word documents and PDFs or use OCR on images). Wasn't some earlier version of SA capable of scanning just the /first/ [size] of an email? Probably harder to implement within MIME, but some control to internally truncate remaining pieces (for scanning only, like the pseudo-headers) would allow scanning beyond the size limit.
