Author: Ian FREISLICH Date: To: Michael Haardt CC: exim-users Subject: Re: [exim] DoS attack with nested MIME levels
Michael Haardt wrote: > Hello,
>
> out of the blue, I am getting a bunch of mails with a very deep MIME
> nesting and an "email-info.scr" file inside. Our mailer rejects them,
> but it takes forever and a day to scan it. The whole thing looks like
> a mail loop, because the sending MTA encapsulates the message together
> with the 550 error message from our MTA into a new mail and tries again
> (that's why the nesting gets so deep). Were this a single host, I'd
> block it. But I see that from hosts all over the world.
>
> Any idea what that crap is?
Nope, but we've had something similar a while ago. The way exim
(and clam) unpack the mail leaves a bit to be desired. A 9Mb mail
can use up to 300Mb of disk (or RAM) because of the way it gets
unpacked. And have parts of it scanned multiple times as a result.