On 14 Mar 2015, at 15:17, Robert Schetterer wrote:
[...]
Am 14.03.2015 um 17:55 schrieb David F. Skoll:
[...]
I can't answer for Kevin, but what we do is this: For oversize
messages, we remove non text/* attachments. If they're still
oversize, we truncate the text/plain parts. If they're still
oversize, we truncate the text/html parts. We do this very
carefully
with MIME::tools to ensure that SpamAssassin always sees a valid
MIME
message and not (for example) one with a missing boundary.
We use MIMEDefang for SpamAssassin integration, so we can play
whatever
tricks we like with the data that gets passed to SpamAssassin
without
actually messing with the original message.
[...]
Ok, but big spam mails are extrem rare, i wouldnt invest time in that
Not true in all contexts.
The majority of user-reported uncaught spam messages on a system I
manage in the past 6 months are ones that have bypassed SA filtering
because they were oversize. I've actually invested some time in
mitigating this problem because users want a fix more than they want
anything else about spam-filtering changed on that system. Despite using
MD I had not thought of David's approach, instead I have used less
scalable approaches of enforcing other rules on large mail that suit the
system in question (e.g. varying hard limits on message size based on
sender domain.) I now intend to supplement that with selective MIME
dismemberment ahead of filtering.
