[Top] [All Lists]

Re: [ietf-smtp] [Shutup] Compressing SMTP streams

2016-02-08 19:23:28
On Mon, Feb 8, 2016 at 5:10 PM, John Levine <johnl(_at_)taugh(_dot_)com> wrote:

As for the security implications, I won't pretend that I know enough there
to be a good judge, though it's also not clear to me that we should
immediately shy away from this since there may be dragons there.

Someone pointed out this could be bad news for spam filtering.  At
this point, it's typical to partly or completely skip the filtering on
very large messages, partly for efficiency, partly because it's not
cost effective for spammers to send lots of giant messages.

But imagine a compressed spam that consists of the payload followed by
a very large image consisting of 50MB of the same byte.  With zlib
compression, that 50MB will compress down to 50KB, so now it's easy
for spammers to send. (If your maximum message size is less than 50MB,
substitute that in, the result doesn't change much.) When you consider
the extra load on the spam filters the compression might not be such a
great tradeoff.  I suppose you could invent new heuristics that score
against highly compressible messages, but who knows how they'd game

We've already gone through phases of image spam, pdf spam, powerpoint spam,
many of which were quite a bit larger than regular spam messages.

I guess one could disable compression against unknown/low reputation/low
volume IPs in that case.

It seems to me any "break out" spam like this is typically short lived, as
filters adjust and then it becomes a small niche or goes away entirely as
too much trouble for no real gain.

ietf-smtp mailing list