|Comments on Saturday 16 May 2009:|
|Last night I got 100 identical Rolex spams that should obviously have been caught by my spam filter. Some investigation revealed that SpamAssassin running in daemon mode simply ignores any message bigger than 50K. More and more spam is having giant image attachments, which puts them over that boundary, which SpamAssassin has been blindly delivering.|
Large messages being delivered regardless of their spammity is obviously not appropriate behaviour. I asked the internet about it, to no avail. The script 'ifspamh' that links qmail and spamc is partly responsible for the behaviour, so I modified it - I didn't want my spam folder filling up with a million giant files either, so I rewrote the script to just silently drop large messages identified (by their first 50 lines) as spam. A small risk - I've not ever missed a message I was expecting, so the spam filter seems pretty safe. I rarely even look at contents of the spam folder, I just empty it.
Mostly I'm just blogging this so that if someone else has the same annoyance, they can use my ifspamh to fix it. I think I've used all the words I was googling for, so anyone with the same issue should find this.
I also recommend spamdyke if your server, like mine, is trying to receive a spam every 2 to 5 seconds. Spamdyke drops about 95% of my spam before the server even finishes receiving it, which reduces the load on resource-hungry SpamAssassin. [12:20]
|It turns out, also, that the command "822field" that is supposed to return the value of X-Spam-Flag actually returns the value of that header *and* the header X, concatenated, so instead of equalling "YES" it equals "YES (newline) fhdjksnfbdsfn", which doesn't trigger the appropriate behaviour.|
So my ifspamh now also pipes that output through "head -1", thus rejecting any injected header output.