[exim] Exim OOMing on 800K spam messages

Top Page
Delete this message
Reply to this message
Author: Russell King
Date:  
To: exim-users
Subject: [exim] Exim OOMing on 800K spam messages
Hi,

I've recently started having a problem with exim causing the machine
it's running on to OOM on some emails - of around 800K. I know this
machine can normally accept messages of up to around 8MB or so
usually without problems.

My exim logs show:

2007-11-10 06:25:39 H=out01.wanadoo.es [62.36.20.201] I=[78.32.30.218]:25
Warning: RBL: warn: (johnalfred@??? listed at abuse.rfc-ignorant.org)
2007-11-10 06:25:53 1Iqjmm-0002fp-80 H=out01.wanadoo.es [62.36.20.201]
I=[78.32.30.218]:25 Warning: bad content type: text/html

which are produced by my ACLs. No other log lines are produced before
the OOM.

When the OOM occurs, I have a single file in the exim spool directory
(eg, 1Iqjmm-0002fp-80-D, being the message body) and the unmime'd
message in the scan directory, containing some 80 or so attachments
most of which contain lots of blank lines and a bit of text in the
middle. The mime headers for each attachment are:

--eresmas.com_dam31.wnet_197d7378a2378829a24c9b41bf2be669
Content-Type: text/html; name="LatinMailAttach"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment

I suspect the shere quantity of attachments are causing exim to gobble
up all available VM - I have no way to obtain any data or proof of that.
(stracing exim for 24 hours waiting for their next attempt is not going
to be nice given the huge quantities of spam already hitting the server.)

The question is how to stop this happening. One short term solution
would be to block the sender, but I suspect that if one spammer's
started this approach, more will eventually follow.

--
Russell King