Re: [exim] DoS attack with nested MIME levels

Pàgina inicial
Delete this message
Reply to this message
Autor: Ian FREISLICH
Data:  
A: Michael Haardt
CC: exim-users
Assumpte: Re: [exim] DoS attack with nested MIME levels
Michael Haardt wrote:
> Hello,
>
> out of the blue, I am getting a bunch of mails with a very deep MIME
> nesting and an "email-info.scr" file inside. Our mailer rejects them,
> but it takes forever and a day to scan it. The whole thing looks like
> a mail loop, because the sending MTA encapsulates the message together
> with the 550 error message from our MTA into a new mail and tries again
> (that's why the nesting gets so deep). Were this a single host, I'd
> block it. But I see that from hosts all over the world.
>
> Any idea what that crap is?


Nope, but we've had something similar a while ago. The way exim
(and clam) unpack the mail leaves a bit to be desired. A 9Mb mail
can use up to 300Mb of disk (or RAM) because of the way it gets
unpacked. And have parts of it scanned multiple times as a result.

Ian

--
Ian Freislich