Re: [Exim] bouncing viruses

On Sun, 16 Feb 2003, Alan J. Flavell wrote:

> I'm much happier with the idea of recognising it at SMTP time,
> refusing to accept it, and leaving any further action to the peer MTA
> (or whatever it really is, sometimes a direct-to-MX client) outside of
> my responsibility.

I have been asked (in individual email) what to do if the sender
reacts to this by repeatedly re-trying to send the item, which might
be some massive virus?

Well, I think that question might be of interest to the list in
general.

My own reaction would be that this is just another kind of
denial-of-service situation, and if it seemed to be sufficiently
prevalent then I have no doubt that exim 4 could be tailored to deal
with it. It's not something that's shown up at our modest operation as
a practical issue - unlike the dictionary scanner attacks, which have
been a pesky nuisance, and against which I have mounted some kind of
defence.

Note that smtp_ratelimit_* facilities don't help if the DoS consists
of repeated SMTP connections: that rate limit is only effective within
an individual SMTP call. But if you can identify the abuse situation
that is of concern to you, within an ACL, then you can have exim write
some data (calling IP, message-id, whatever seems appropriate) to a
file, and you can subsequently look-up that file and base further
actions on it. Needs to be done with care, though, or one can easily
shoot oneself in the foot (would that be called a "double denial of
service" situation? :-} ).

all the best