Fwd: Huge header detection

Carlos Horowicz carlos.horowicz at gmail.com
Fri Feb 6 23:36:36 EST 2009


I'm wondering what to do in a live system with may be hundreds of
thousands of these strange e-mails already in users´ mailboxes,

Should imapd be patched so that it just ignores the repetitions , both
when building cyrus.cache and when it returns the headers to a client
? or should imapd really modify the original e-mail by stripping
unnecessary/illegal headers and store a cleaned-up version ?

Regards,

Carlos

On Fri, Feb 6, 2009 at 9:02 PM, Bron Gondwana <brong at fastmail.fm> wrote:
> On Fri, Feb 06, 2009 at 04:34:39PM -0200, Carlos Horowicz wrote:
>> Hi there,
>>
>> postfix author suggested me to post here following issue :
>>
>> we received a spam that bypassed all controls and consisted of a huge
>> header (4M) , repeating these four lines 31.000 times (chaning only
>> the Reply-To):
>>
>> MIME-Version: 1.0
>> Content-type: text/html; charset=iso-8859-1
>> From: Magaly <verano at club.com>
>> Reply-To: fdsafdsafdsa at xxxxxx
>
> Oh yeah!  I just recreated this on my testbed here (copying that and
> appending a number from 1 to 31000 after the address part of the reply
> to)
>
> Gosh!
>
> Here's a segment of the cyrus.cache file:
>
>  (("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly"
> NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.co
> m")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "ver
> ano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Mag
> aly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "cl
> ub.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL
>  "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")
> ("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano
> " "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly
> " NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.
> com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "v
> erano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("M
> agaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "
> club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" N
> IL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com
> ")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "vera
> no" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Maga
> ly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "clu
> b.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL
> "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")(
> "Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>  "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly"
>  NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>
> -rw------- 1 cyrus mail 5446660 Feb  6 17:58 cyrus.cache
>
> That's pretty much all just this one email.
>
> It looks like Cyrus needs not only a "maximum number of headers to cache"
> but a "maximum number of instances of each header"!
>
> Bron.
>


More information about the Info-cyrus mailing list