Re: [exim] DoS attack with nested MIME levels

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Michael Haardt
Data:  
Para: exim-users
Assunto: Re: [exim] DoS attack with nested MIME levels
> If in fact it's composing these non-delivery reports with non-null
> envelope senders, then we'd blacklist those envelope senders as being
> a misuse of mail procedures.


Sure, if it were just one or two. You got it, the session report plus
the original mail are used to compose a new mail, _keeping_ the original
envelope. Things get as bad as >1000 nested parts, and since half of
them are message/rfc822, exiscan just goes crazy. And that from various
hosts, most of them appearantly dialup systems.

I have no idea if malware tries to bypass scanners by hitting their
limits until they stop scanning, or if there is some new popular, but
broken, software.

Michael