[exim] help: exim, clamav mail forward loop

Top Page
Delete this message
Reply to this message
Author: Paul Griffith
Date:  
To: exim-users
Subject: [exim] help: exim, clamav mail forward loop

Hi,

I have ran into a .forward loop mail problem with exim and clamav. We
run exim 4.67 with SpamAssassin 3.2.5 and ClamAv 0.95.3. We also use
the Sane Security signatures with exim.

This issue was so bad we had to remove the SaneSecurity scripts from
clamav. While this has taken care of the problem for now, it could
re-occur again. All it would take is someone to send a virus to the
user involved in this issue.

Backgrounder:

A new faculty from another university (univA) has forward his e-mail
from his old university to us (univB), some of those e-mails are
rejected by exim (univB)as spam (via clamav) and then his old
university (univA) attempts to forward the error message to us and the
loop start all over again.

It would look something like this.

univA remote mail server running sendmail
univB local mail server running exim, clamav and spamassassin

1 - spam mail -> user1@univA

2 - user1@univA forwards mail to user2@univB

3.0 - univB - clamav detects mail as spam
3.1 - univB -> rejects forward mail back to univA

4 - univA tries to forward status mail (with appended original e-mail
) from step 3 to user2@univB

5 – goto step 3

Oh joy.... fun fun..... :(


How do I stop this mess? Do I dump messages with the header:
Auto-Submitted: auto-generated (failure) ? How to prevent this from
happening in the future ?


Here is an example from the exim reject log! I have a log full of
these. When I check the exim scan log directory I found about 1061
messages stuck in the loop. I had the stop the clamd process to allow
the load to come down and the queue to clear out.

2009-11-08 04:53:05 1N74SH-0006jF-DC H=(xx.xx.xx) [130.xx.xx.11]  
F=<mab@???> rejected
after DATA: This message contains a virus (Sanesecurity.Spam.7935.UNOFFICIAL).
Envelope-from: <xx@???>
Envelope-to: <xxx@???>
P Received: from [130.xx.xx.11] (helo=cs.xx.xx)
         by bronze.cs.yorku.ca with esmtps (TLSv1:AES256-SHA:256)
         (Exim 4.67)
         (envelope-from <xx@???>)
         id 1N74SH-0006jF-DC
         for xxx@???; Sun, 08 Nov 2009 04:53:05 -0500
P Received: from [82.200.245.25] ([82.200.245.25])
         by xx.xxx.ca (8.13.8/8.13.8) with ESMTP id nA89r3GR005230
         for <xx@???>; Sun, 8 Nov 2009 04:53:04 -0500 (EST)
   Date: Sun, 8 Nov 2009 04:53:03 -0500 (EST)
I Message-Id: <200911080953.nA89r3GR005230@???>
F From: VIAGRA (c) Official Store <mab@???>
T To: xx@???
   Subject: Dear xxx@??? 80% 0FF on Pfizer.
   MIME-Version: 1.0
   Content-Type: text/html; charset="ISO-8859-1"
   Content-Transfer-Encoding: 7bit


and a snippet from the file __rfc822_00001

Return-Path: <mab>
Received: (from mab@localhost)
         by xx.xx.xx (8.13.8/8.13.8) id nB3640Zr017793
         for xxx@???; Thu, 3 Dec 2009 01:04:00 -0500 (EST)
Received: from localhost (localhost)
         by xx.xx.xx (8.13.8/8.13.8) id nB363wMT017367;
         Thu, 3 Dec 2009 01:03:58 -0500 (EST)
Date: Thu, 3 Dec 2009 01:03:58 -0500 (EST)
From: Mail Delivery Subsystem <MAILER-DAEMON@???>
Message-Id: <200912030603.nB363wMT017367@???>
To: xx@???
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
         boundary="nB363wMT017367.1259820238/xx.xx.xx"
Content-Transfer-Encoding: 8bit
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)


This is a MIME-encapsulated message

--nB363wMT017367.1259820238/xx.xx.xx

The original message was received at Thu, 3 Dec 2009 01:02:07 -0500 (EST)
from xx@localhost

    ----- The following addresses had permanent fatal errors -----
xxx@???
     (reason: 550 This message contains a virus  
(Sanesecurity.Junk.22572.UNOFFICIAL).)


    ----- Transcript of session follows -----
550 xxx@???... mime8to7: recursion level 21 exceeded
... while talking to xxx.xxx.yorku.ca.:

>>> DATA

<<< 550 This message contains a virus (Sanesecurity.Junk.22572.UNOFFICIAL).
554 5.0.0 Service unavailable

--nB363wMT017367.1259820238/xx.xxx.ca
Content-Type: message/delivery-status

Reporting-MTA: dns; xx.xxx.ca
Arrival-Date: Thu, 3 Dec 2009 01:02:07 -0500 (EST)




----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.