Re: [exim] DoS attack with nested MIME levels

Top Page
Delete this message
Reply to this message
Author: Michael Haardt
Date:  
To: exim-users
Subject: Re: [exim] DoS attack with nested MIME levels
> out of the blue, I am getting a bunch of mails with a very deep MIME
> nesting and an "email-info.scr" file inside. Our mailer rejects them,
> but it takes forever and a day to scan it. The whole thing looks like
> a mail loop, because the sending MTA encapsulates the message together
> with the 550 error message from our MTA into a new mail and tries again
> (that's why the nesting gets so deep). Were this a single host, I'd
> block it. But I see that from hosts all over the world.


Appearantly, exiscan offers nothing to count the nesting depth of
messages. MIME parts are counted per rfc822 message, but you can
limit the total amount like this:

  deny    set acl_c1 = ${eval: $acl_c1+1}
          message = "Too many attachments"
          condition = ${if >= {$acl_c1}{200}{1}{0}}


That suffices to let the machines breathe again, while not hurting
regular users.

Tom, if you read this: How about something like mime_nesting_depth and
mime_total_count? I am sure many people want to limit both using ACLs,
once the crap above hits them.

Michael