I don't operate or have experience with Exim, but I've have noticed a
problem with several different exim mail servers (one 4.50 several
4.41 and probably other versions). Perhaps someone can look at this
and determine if it is a bug in Exim.
A virus spoofing my domain will send an Exim server a message which
will initially accept the message but later tries to bounce the
message because it finds the illicit .scr/.pif/.exe attachment, the
mailbox is full, no such user or some other problem. So now the Exim
server generates and sends a bounce to my server which detects the
illicit attachment or forgery and responds with either a
after DATA "."
554 5.7.1 Message cannot be accepted, virus found
after RCPT TO: fake@???
550 5.1.1 fake@??? User unknown; rejecting
Here is the problem, the Exim servers will retry to resend the message
(ignoring the 55x errors) every two hours for 2 or 3 days. The
bounce's message-id, date, other headers, and the quoted forgery all
demonstrate that the multiple bounces are caused by a single message
and the multiples are a result of a problem with Exim not
acknowledging my server's 55x responses. Normally this problem
wouldn't be noticed as bounces aren't normally seen.
Can someone determine if this is a current bug or when it was fixed
and under what condition this exists? I presume all MAIL FROM: <>
should be deleted or forwarded to a badmail mailbox after rejected
with a 55x error and not remain in the outgoing queue.
If it helps, I've noticed from the headers of the quarantined messages
that these bounces all have...
Received: from mailnull by xxxxxxxxxxxxx with local (Exim 4.xx)
X-Failed-Recipients: forged@yyyyyyyyyyy
Auto-Submitted: auto-generated
Here is the header from one of the 27 identical messages recently
bounced from the one Exim 4.50 server I've encountered with this
problem...
Received: from bob.xstreamhost.com ([69.72.225.186])
by mail.agate.ca (mmmMail) with ESMTP (SSL) id GNA74607
for <info@???>; Sun, 05 Jun 2005 07:08:03 -0700
Received: from mailnull by bob.xstreamhost.com with local (Exim 4.50)
id 1DedQo-0007nX-LM
for info@???; Sat, 04 Jun 2005 11:31:38 -0700
X-Failed-Recipients: info@???
Auto-Submitted: auto-generated
From: Mail Delivery System <Mailer-Daemon@???>
To: info@???
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1DedQo-0007nX-LM@???>
Date: Sat, 04 Jun 2005 11:31:38 -0700
X-AntiAbuse: This header was added to track abuse, please include it
with any abuse report
X-AntiAbuse: Primary Hostname - bob.xstreamhost.com
X-AntiAbuse: Original Domain - forged.dom
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Source:
X-Source-Args:
X-Source-Dir:
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
info@???
This message has been rejected because it has
a potentially executable attachment "your_letter.pif"
------ This is a copy of the message, including all the headers. ------
Return-path: <info@???>
Received: from [24.84.217.133] (port=1152 helo=croogstudios.com)
by bob.xstreamhost.com with esmtp (Exim 4.50)
id 1DedQh-0007nK-TT
for info@???; Sat, 04 Jun 2005 11:31:38 -0700
From: info@???
To: info@???
Subject: Re: Your letter
Date: Sat, 4 Jun 2005 11:33:58 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0008_00003597.00002991"
X-Priority: 3
X-MSMail-Priority: Normal
