Fwd: Huge header detection
Ian Eiloart
iane at sussex.ac.uk
Mon Feb 9 05:24:38 EST 2009
--On 7 February 2009 02:36:36 -0200 Carlos Horowicz
<carlos.horowicz at gmail.com> wrote:
> I'm wondering what to do in a live system with may be hundreds of
> thousands of these strange e-mails already in users´ mailboxes,
>
> Should imapd be patched so that it just ignores the repetitions , both
> when building cyrus.cache and when it returns the headers to a client
> ? or should imapd really modify the original e-mail by stripping
> unnecessary/illegal headers and store a cleaned-up version ?
It shouldn't be modifying messages. It should handle such messages
elegantly. Ignoring repetitions (beyond a threshold of repeats) seems the
most sensible option. However, failing to report them to a client could
cause confusion, so a threshold should be reasonably high. Of course some
headers are supposed to have multiple instances...
Alerting the system administrator to the existence of such bogus messages
seems like a good idea, too. Perhaps through the logging system.
If you don't want a particular message in the system, then it should not be
accepted by LMTP or by any IMAP message creation mechanism.
> Regards,
>
> Carlos
>
> On Fri, Feb 6, 2009 at 9:02 PM, Bron Gondwana <brong at fastmail.fm> wrote:
>> On Fri, Feb 06, 2009 at 04:34:39PM -0200, Carlos Horowicz wrote:
>>> Hi there,
>>>
>>> postfix author suggested me to post here following issue :
>>>
>>> we received a spam that bypassed all controls and consisted of a huge
>>> header (4M) , repeating these four lines 31.000 times (chaning only
>>> the Reply-To):
>>>
>>> MIME-Version: 1.0
>>> Content-type: text/html; charset=iso-8859-1
>>> From: Magaly <verano at club.com>
>>> Reply-To: fdsafdsafdsa at xxxxxx
>>
>> Oh yeah! I just recreated this on my testbed here (copying that and
>> appending a number from 1 to 31000 after the address part of the reply
>> to)
>>
>> Gosh!
>>
>> Here's a segment of the cyrus.cache file:
>>
>> (("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.co m")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "ver ano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Mag aly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "cl ub.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com") ("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano " "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly " NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club. com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "v erano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("M agaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano" "
>> club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" N IL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com ")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "vera no"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Maga ly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "clu b.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")( "Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>> "club.com")("Magaly" NIL "verano" "club.com")("Magaly" NIL "verano"
>>
>> -rw------- 1 cyrus mail 5446660 Feb 6 17:58 cyrus.cache
>>
>> That's pretty much all just this one email.
>>
>> It looks like Cyrus needs not only a "maximum number of headers to cache"
>> but a "maximum number of instances of each header"!
>>
>> Bron.
>>
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
--
Ian Eiloart
IT Services, University of Sussex
x3148
More information about the Info-cyrus
mailing list