Justin Edmands wrote:
> We are seeing a few emails that are about a 1MB and appear to have
> only a few lines of text. Upon further investigation, the email is in
> HTML with a HUGE commented out part.
I haven't seen any over 1M recently, but these have been a long-running
nuisance here. The latest series don't even have any actual spam
payload; no links, no images (embedded or otherwise), and mostly not
even hitting any IP DNSBLs.
With list assistance I've been using these rules:
full __OVERSIZE_COMMENT m|<!--(?:(?!-->).){32760}|s
body __OVERSIZE_COMMENT_2 eval:html_text_match('comment',
'(?s)^(?=.{32760})')
meta OVERSIZE_COMMENT __OVERSIZE_COMMENT || __OVERSIZE_COMMENT_2
Unfortunately due to limitations in Perl's regex engine, you can't
usefully set that length higher (the exact limit depends on the options
your Perl was compiled with - all the systems I checked here are 32K).
You'll get a lint error with the "full" rule, but the body rule offsets
handling the regex deep enough that it will lint but not run.
And mail from Outlook has *also* recently been triggering these. :(
-kgd
