Autor: Peter Hicks Datum: To: exim-users CC: Odhiambo G. Washington Betreff: Re: [exim] [OT] Emergency!!! Is anyone else getting this virus/worm?
On Tue, Nov 16, 2004 at 12:11:18PM +0300, Odhiambo G. Washington wrote:
<snip> >
>In my case, the mail was coming in as a NDR (Non Delivery Report) from
>addr.com (several of their MXes) to some local user on my systems. I
>would see the mail in the queue on of of my MXes and it was 1.9MB.
>The configuration on this MX (for the virus scanner) is the same as the
>one on the server that does the local deliveries. The only difference
>between the two servers is the version of Clamav. Since scanning happens
>on both servers, I still don't see how the same mail was not bombing the
>secondary MX during the scanning, and not doing the same on the box that
>does the deliveries.
>The clue would like anywhere, but maybe in Clamav!
I had the exact same problem with addr.com. We have a user that is
forwarding email from an addr.com account, and a virus was forwarded.
Exim returned a 550, and their mail server generated a bounce to the
local account, which was then forwarded. The bounce did not contain a
null return path, and included the original email as an attachment. This
bounce was then rejected with a 550, creating a mail loop with an
increasing level of attachments. At one point there were over a thousand
attachments before I had to manually intervene.