On 15 Jul 2015, at 16:12, Zinski, Steve wrote:
We're starting to see a lot of spam in the 800KB to 1.2MB size range. I’m running MIMEdefang and it’s configured to skip messages larger than 100KB (and I hesitate to increase the limit due to performance issues). I read somewhere that there’s a way to have MIMEdefang (or spamassassin) strip out the non-text portions of the e-mail and scan. Can anyone help me set this up or point me in the right direction? Thanks!
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang may get you to a set of users who have a known-good solution. There's some overlap with this list but it certainly isn't complete.
It is possible to have MD do careful surgery on the MIME structure of a message and leave only the text part(s) and then reinitialize the SA testing object with the excised message, but I don't have working code for that. The last time I did anything substantial in my mimedefang-filter related to SA testing I was a mumbling lunatic for a week, so I will pass on trying a Q&D implementation for you (although it is something I'd kinda like myself...) and that's a good thing.
An alternative that has worked well for me is to use MD as a gatekeeper for more subtle policies on large files than most MTAs can directly provide. If $Sender is from a domain whose putative users have a history of sending bloated spam, I reject anything big outright. If the file has a double extension (other than .tar.gz and a few other exemptions) or any of a long list of extensions that map to common Windows malware vectors I reject the mail outright from anywhere except a handful of trusted senders OR is sent to a handful of careful users who have asked for exemptions and know the risks. Those approaches might not fit your environment (scale being an issue...) but since MD's 'configuration file' is really just a pile of Perl subroutine implementations, you don't need to focus solely on the SA linkage to sniff out spam. For example, I don't need SA scanning to know that if a live.com sender is claimed for a message coming from a yahoo.com SMTP client and it has 3 lines of text and a 350KB attachment, nobody wants that mail.
FINALLY: keep in mind that MD's defaults and warnings about performance of SA scanning of large messages have changed little (none?) in a decade. Typical memory and processor specs on servers have. It's probably still wise to have a limit on size passed to SA, but it probably doesn't need to be 100k. Again, your scale needs to be taken into account, but I have limits at 200k for "sewer rats" and 500k for everyone else, and I can't see any sign of that choking a very modest server when big things do get scanned.
