Author: Marilyn Davis Date: To: exim-users Subject: Re: [exim] DoS attack with nested MIME levels
> > Michael Haardt wrote:
> > Hello,
> >
> > out of the blue, I am getting a bunch of mails with
> a very deep MIME
> > nesting and an "email-info.scr" file inside. Our
> mailer rejects them,
> > but it takes forever and a day to scan it. The
> whole thing looks like
> > a mail loop, because the sending MTA encapsulates
> the message together
> > with the 550 error message from our MTA into a new
> mail and tries again
> > (that's why the nesting gets so deep). Were this a
> single host, I'd
> > block it. But I see that from hosts all over the
> world.
> >
> > Any idea what that crap is?
>
> Nope, but we've had something similar a while ago.
> The way exim
> (and clam) unpack the mail leaves a bit to be desired.
> A 9Mb mail
> can use up to 300Mb of disk (or RAM) because of the
> way it gets
> unpacked. And have parts of it scanned multiple times
> as a result.
Can anyone suggest a more efficient virus scanner?