Autor: Michael Haardt Data: A: exim-users Assumpte: Re: [exim] DoS attack with nested MIME levels
> If in fact it's composing these non-delivery reports with non-null > envelope senders, then we'd blacklist those envelope senders as being
> a misuse of mail procedures.
Sure, if it were just one or two. You got it, the session report plus
the original mail are used to compose a new mail, _keeping_ the original
envelope. Things get as bad as >1000 nested parts, and since half of
them are message/rfc822, exiscan just goes crazy. And that from various
hosts, most of them appearantly dialup systems.
I have no idea if malware tries to bypass scanners by hitting their
limits until they stop scanning, or if there is some new popular, but
broken, software.