Re: [exim] DENY versus DISCARD for exiscan

Top Page
Delete this message
Reply to this message
Author: Peter Hicks
Date:  
To: exim-users
Subject: Re: [exim] DENY versus DISCARD for exiscan
On Fri, Oct 29, 2004 at 08:13:02PM +0100, Tim Jackson wrote:
>On 29 Oct 2004, Peter Hicks wrote:
>
>> I recently had a situation where a user had a catch-all setup that was
>> being forwarded to our domain from another server. Needless to say, this
>> account attracted a lot of spam and virii. Part of our exim.conf file
>> had this in the data acl:
>>
>>   deny  message = $found_extension files are not accepted here
>>          demime = com:vbs:bat:pif:scr

>>
>> This lead to a situation where an email with a pif attachment was denied
>> with a 5xx code, and the server that was doing the forwarding sent a
>> bounce to the local account on their machine, which was then forwarded
>> back to our system. The bounce included the original mail as an
>> attachment, so this created a nested attachement. This happened over and
>> over again in an infinite loop, creating an email with hundreds and
>> hundreds of nested attachments.
>
>Surely this means that the remote system was badly misconfigured, because
>when the first bounce that was generated by them was forwarded to you, it
>should have had a null return path. When you rejected it for the second
>time, there should have therefore been nowhere to deliver the "bounced
>bounce" to, and no loop. For there to have been a loop, the remote system
>must somehow be ending up sending the bounce with a non-null sender.
>
>> I have therefore changed the deny to discard.
>
>I think you should get the remote end to fix their broken system, instead
>of breaking yours.
>
>> Are there any unseen ramifications for doing this? Do people have
>> ligitmate reasons to send the above attachments? If they do, then it
>> would be nice if they received the error message.
>
>No doubt they do get sent around occasionally, but I should imagine it's
>very rare, especially considering that blocking this sort of stuff has
>been standard on many systems for a long time.
>


That makes sense. I reverted my configuration and sent an email to their
support department, but from what I have read on the net about this
particular hosting provider, I doubt I will see any results.