Author: Alexander Sabourenkov Date: To: Suresh Ramasubramanian CC: Exim Users Mailing List Subject: Re: 5xx during / after DATA [was Re: [Exim] bouncing viruses]
Hello.
> A couple of questions on this -
>
> Where do you issue a 5xx - after the client is finished with sending DATA,
> or midway through the DATA phase? (happen you are scanning the entire
> message body on the fly in an exim filter and not accepting the whole thing
> and passing it to a virus scanning daemon)
As I mentioned, scanning takes place in local_scan(), that is, on the fly.
Rejection is after client has finished sending data when Exim has to
issue a reply to client's final dot-on-a-line-by-itself.
I haven't seen a virus scanner that can issue a diagnosis midway through input
stream. On the other hand I've encountered false negatives when partially
supplying messages to virus scanner, so I suppose it is quite hard to implement
it that way. For the drweb at least, the protocol for communicating with daemon
is purely simplex (i.e. no way to signal a client to abort data transmission),
and it would take a redesign of protocol for a start.
> What, approximately, would be the number of mails you handle per day on your
> several thousand exims?
Without diving into details I'd estimate 100K messages scanned per day.
You should understand, that while such retries may well have been happening, they haven't
caused problems and so went unnoticed. Hovewer, there were several times when machines on
wide connections were infected, and I must say that the worms could not care less about
server replies to their actions. They just continued to send no matter what.
PS
In fact it is MS Exchanges with underbars in EHLO/HELO that are most annoying with
constant failing retries, as they seem to retry every several minutes with batches
of several tens of connections each time.
