"B. Cook" wrote:
> I'm trying to figure out why this is happening..
>
> 5240 daemon: -q15m, listening for SMTP on port 25 (IPv4)
> 12317 handling incoming connection from (smtp3.landam.com)
> [206.211.124.16]:28424 I=[127.0.0.1]:25 id=1GxRF0-0003Cf-Al
> 35228 handling incoming connection from (mail.co.dutchess.ny.us)
> [64.72.67.130]:32280 I=[127.0.0.1]:25 id=1GxPk3-0009AC-3D
> 49158 handling incoming connection from (ms-smtp-04.rdc-nyc.rr.com)
> [24.29.109.8]:54683 I=[127.0.0.1]:25 id=1GxRAl-000Cms-0n
> 85796 handling incoming connection from (imr-d02.mx.aol.com)
> [205.188.157.40]:57622 I=[127.0.0.1]:25 id=1GxRDb-000MJo-Hp
> 90577 handling incoming connection from (mail.suss.com)
> [12.152.229.226]:37691 I=[127.0.0.1]:25 id=1GxREr-000NYv-Q1
>
> [/var/spool/exim/scan]# 65 > du -sh *
> 29M 1GxPk3-0009AC-3D
> 514K 1GxRAl-000Cms-0n
> 72M 1GxRDb-000MJo-Hp
> 6.1M 1GxREr-000NYv-Q1
> 20K 1GxRGq-000CTd-FD
This is why I turned mime decoding off in exim. If there are nested
mime containers each extracted container will become a file on disk.
The decoding process isn't clever enough to figure out that it's
just a deeply nested structure with the payload in the leaf container.
The largest I've seen a mime-bomb of this nature get is several
gigabytes (from a several megabyte mail).
Better to let clamd process the containers in memory and blow-up
on its resource limits. In my experience it will do this much more
quickly than exim will take to extract the mail to disk.
Ian
--
Ian Freislich
