2629 – Spam DOS Attack (excessive headers)

Bug 2629 - Spam DOS Attack (excessive headers)

Summary: Spam DOS Attack (excessive headers)

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (show other bugs)
Version:	2.60
Hardware:	All All

Importance:	P5 normal
Target Milestone:	3.0.0
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	3208
	Show dependency tree

Reported:	2003-10-25 19:57 UTC by Robert J. Accettura
Modified:	2004-03-23 12:51 UTC (History)
CC List:	0 users

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
Sample	text/plain			None	Robert J. Accettura
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert J. Accettura 2003-10-25 19:57:45 UTC

Coming is an attachment of an email using a pretty effective technique.  Massive
listing of headers to defeat spamassassin.  Grinding my computer to a halt for a
few moments... but evading spamassassin.

Perhaps a rule for excessive sized headers would be in order?  Not sure, just
speculating, perhaps someone has a good idea for this.  This is bad, because
it's an easy workaround for a spammer.

Comment 1 Robert J. Accettura 2003-10-25 20:00:16 UTC

Created attachment 1508 [details]
Sample

Sample email that completely evaided SpamAssassin (very easy for a spammer to
do).  Puts excessive load on the server, but still gets through.

Comment 2 Keith Ivey 2003-10-26 15:00:20 UTC

How did it evade SA?  Do you have a timeout for the SA processing, or a limit on
the size of messages that get passed to SA?  I just ran it through spamassassin
-D from the command line and got "hits=4.0 required=6.0
tests=BLANK_LINES_70_80,OPT_HEADER,RCVD_IN_NJABL,RCVD_IN_SORBS,SUBJ_ALL_CAPS". 
It did take a while, though (and a fair amount of the CPU).

I'm not sure it's really such an easy workaround for the spammers.  The message
was 280 kB, just to send a URL.  Bloating all their messages to that extent will
slow down the sending rate considerably.  I'd imagine such messages cause
problems for some mail clients as well (does Outlook handle them okay?), so that
would cut down on the response rate.

Still, worth looking into.

Comment 3 Robert J. Accettura 2003-10-26 15:06:32 UTC

I'm not sure what got it.  I'm using pop3proxy.pl.  SO DNSBL is disabled. 
Meaning some of those points wouldn't hit it anyway.

I'm thinking it would be wise for SpamAssassin to just read the headers of large
emails.  Excessive CC's or BCC's such as this, should get a value.  Or perhaps
just excessively long header's (over 10k perhaps).  I don't think any legitimate
email has headers like this.  I only see this on spam.

It's a good way to evade Spam Filters.  Not so bad for sending.  Even if it were
slightly smaller.  Remember spammers can use multiple servers... servers are
relatively cheap these days.  Getting mail past filters is worth the extra cost.


Perhaps SA could check if mail is to big, and if it is, just work off the
headers up to that certain point.  Then tally points based on that.

Comment 4 Keith Ivey 2003-10-26 17:58:55 UTC

The version of pop3proxy.pl I used to use skips messages larger than 250,000
bytes -- look for $max_scan_size and the comments related to it.  That would
explain why this message wasn't analyzed.  It's nothing to do with headers in
particular, just the total size of the message.

And it's a pop3proxy.pl parameter, not anything in SpamAssassin.  So this isn't
really a bug report but an enhancement suggestion.

Comment 5 Justin Mason 2004-03-23 21:51:09 UTC

I think WONTFIX on this one