Autor: Alan J. Flavell Data: Dla: Exim users list Temat: Re: [exim] DoS attack with nested MIME levels
On Thu, 14 Jul 2005, Michael Haardt wrote:
> > If in fact it's composing these non-delivery reports with non-null
> > envelope senders, then we'd blacklist those envelope senders as being
> > a misuse of mail procedures.
>
> Sure, if it were just one or two.
Well, a regex can be quite effective! Anything that looks
recognisably like bogus anti-virus software can be blocked, before
even trying to scan the mail body.
Seems to me that pretty much anything with antivirus, virusalert,
mailsweeper, virus-check etc. and variants thereof in its
envelope-sender local part are deeply suspect, if they're not
something you already expected (e.g some kind of related mailing
list), no matter what the envelope-sender domain. However, from what
you say next it appears this isn't the case with the abuses that
you're seeing.
> You got it, the session report plus the original mail are used to
> compose a new mail, _keeping_ the original envelope.
OK, you're saying that the envelope sender itself is not recognisably
an anti virus product, so that particular avenue is blocked, but often
the mail headers of the offending item (if it's finally being rejected
by your system, then you can expect to find these in your rejectlog)
may well have something characteristic. As there have been no samples
exhibited so far, I can't be more informative...
But why is it sent to your system? That's surely the key, I'd have
thought. Is the envelope sender one of your own addresses, or not?
> Things get as bad as >1000 nested parts, and since half of them are
> message/rfc822, exiscan just goes crazy. And that from various
> hosts, most of them appearantly dialup systems.
Myself I really would concentrate on stopping such junk *before* it
has to be scanned, rather than getting into too much detail about how
the scanning is done... OK, just a personal view.
What happens if you defer their delivery attempt? If you can identify
the problem items, and drop their envelope sender into a specific
file, then you could try deferring any further mails that present this
same envelope sender, and see what happens.