On 6/8/05, Tim Jackson <lists@???> wrote:
> On Tue, 7 Jun 2005 19:27:08 -0700
> Tony Marques <tymes10@???> wrote:
>
> > An Exim server should only try to send two messages after which it
> > should stop -- freezing (or whatever) the first message and the
> > generated bounce.
>
> As others have said, I've never seen Exim exhibit bad behaviour like
> you're describing. Exim definitely doesn't keep retrying after 5xx
> errors. Whilst there's always the possibility of a bug, I'm pretty sure
> it would have been picked up by now considering the huge deployment and
> long history of Exim.
People on this list, people that know how to configure Exim and
rewrite and recompile Exim, probably don't have this
"ignore_bounce_errors" parameter set and probably aren't operating
open relays or doing any number of other bad things. Unfortunately,
it seems this isn't a bug that can be fixed -- it's humans, we should
get rid of them all.
> However, can I point out an alternative suggestion. Exim is
> incorporated into at least one (and probably more) "control panel"
> products (Cpanel), where at least some parts of the system are pre-
Yeah, I considered as much.
> There are two things I would note about this:
>
> a) This seems more likely given that you are complaining about bogus
> virus bounces and similar (which are indeed a PITA - see
> http://www.timj.co.uk/linux/bogus-virus-warnings.cf ). Well- configured
> Exim machines don't spew crap like this out. And "well- configured" in
Well, I can imagine situations where a user with a full mail box
recieves a legitimate notification or a list message which they can't
reply to that would initiate this behavior. If they were on a
misconfigured server, it would try to send a bounces repeatedly
despite being told not to with 55x errors. Nothing bogus.
I too was forced to incorporate bogus filters years ago. Errors we
intercept that seem to be virus related get "550 We couldn't have sent
the virus" responses (I only wish server/filter software everywhere
used MAIL FROM <> and "Content-Type:
multipart/report...report-type=delivery-status headers" exclusively).
This filter is one of the reasons why I was able to find all these
Exim examples. If you have a comprable filter you too may be able to
find your own examples, but you 55x them and may not keep them so you
wouldn't see this -- you have a properly configured Exim and you
reject examples.
Other people may see 20 rejected messages and assume that it wasn't
the server that sent 20 rejections, but that the virus sent them 20
viruses causing those 20 messages. Other people have servers that
accept all messages either normally or through a backup-mx that will
try to forward it to the main server so there is only one bounce from
the Exim server and everything works according to spec. Most of the
time there are no bounces or there are bounces to legitimate
addresses. I can easily imagine this problem going unnoticed for a
long time.
Last month with Sober.P and a server that exploded the 52 RCPT TO so
it sent out 52 responses, I found myself very annoyed. I could have
used that server and the email address I found to mailbomb all my
enemies.
> b) More pertinently, the example you cited in an earlier mail did
> indeed exhibit signs of being a "pre-configured" machine. Here goes
Yes, but I mainly used bob.xstreamhost.com as an example because it
was recent, and because it had the latest version of Exim I found. I
wouldn't want to be here complaining about Exim 3.34 -- even fewer
people would take this seriously.
In the list, 3 of the 20 machines didn't have X-AntiAbuse headers so
this may be the fault of Cpanel or a similar control panel or plug in.
I can certainly blame control panels and server operators. It isn't
Microsoft's fault if nobody knows how to configure Windows securely.
Thank's everyone for helping me try to get to the bottom of this. It
may not be a bug, but it does seem to be stupid, and from my
experience it is not uncommon and it doesn't reflect well on Exim.
