Hi, I have ran into a .forward loop mail problem with exim and clamav. We run exim 4.67 with SpamAssassin 3.2.5 and ClamAv 0.95.3. We also use the Sane Security signatures with exim.
This issue was so bad we had to remove the SaneSecurity scripts from clamav. While this has taken care of the problem for now, it could re-occur again. All it would take is someone to send a virus to the user involved in this issue. Backgrounder: A new faculty from another university (univA) has forward his e-mail from his old university to us (univB), some of those e-mails are rejected by exim (univB)as spam (via clamav) and then his old university (univA) attempts to forward the error message to us and the loop start all over again. It would look something like this. univA remote mail server running sendmail univB local mail server running exim, clamav and spamassassin 1 - spam mail -> us...@univa 2 - us...@univa forwards mail to us...@univb 3.0 - univB - clamav detects mail as spam 3.1 - univB -> rejects forward mail back to univA 4 - univA tries to forward status mail (with appended original e-mail ) from step 3 to us...@univb 5 goto step 3 Oh joy.... fun fun..... :( How do I stop this mess? Do I dump messages with the header: Auto-Submitted: auto-generated (failure) ? How to prevent this from happening in the future ? Here is an example from the exim reject log! I have a log full of these. When I check the exim scan log directory I found about 1061 messages stuck in the loop. I had the stop the clamd process to allow the load to come down and the queue to clear out. 2009-11-08 04:53:05 1N74SH-0006jF-DC H=(xx.xx.xx) [130.xx.xx.11] F=<[email protected]> rejected after DATA: This message contains a virus (Sanesecurity.Spam.7935.UNOFFICIAL). Envelope-from: <[email protected]> Envelope-to: <[email protected]> P Received: from [130.xx.xx.11] (helo=cs.xx.xx) by bronze.cs.yorku.ca with esmtps (TLSv1:AES256-SHA:256) (Exim 4.67) (envelope-from <[email protected]>) id 1N74SH-0006jF-DC for [email protected]; Sun, 08 Nov 2009 04:53:05 -0500 P Received: from [82.200.245.25] ([82.200.245.25]) by xx.xxx.ca (8.13.8/8.13.8) with ESMTP id nA89r3GR005230 for <[email protected]>; Sun, 8 Nov 2009 04:53:04 -0500 (EST) Date: Sun, 8 Nov 2009 04:53:03 -0500 (EST) I Message-Id: <[email protected]> F From: VIAGRA (c) Official Store <[email protected]> T To: [email protected] Subject: Dear [email protected] 80% 0FF on Pfizer. MIME-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit and a snippet from the file __rfc822_00001 Return-Path: <mab> Received: (from m...@localhost) by xx.xx.xx (8.13.8/8.13.8) id nB3640Zr017793 for [email protected]; Thu, 3 Dec 2009 01:04:00 -0500 (EST) Received: from localhost (localhost) by xx.xx.xx (8.13.8/8.13.8) id nB363wMT017367; Thu, 3 Dec 2009 01:03:58 -0500 (EST) Date: Thu, 3 Dec 2009 01:03:58 -0500 (EST) From: Mail Delivery Subsystem <[email protected]> Message-Id: <[email protected]> To: [email protected] MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="nB363wMT017367.1259820238/xx.xx.xx" Content-Transfer-Encoding: 8bit Subject: Returned mail: see transcript for details Auto-Submitted: auto-generated (failure) This is a MIME-encapsulated message --nB363wMT017367.1259820238/xx.xx.xx The original message was received at Thu, 3 Dec 2009 01:02:07 -0500 (EST) from x...@localhost ----- The following addresses had permanent fatal errors ----- [email protected] (reason: 550 This message contains a virus (Sanesecurity.Junk.22572.UNOFFICIAL).) ----- Transcript of session follows ----- 550 [email protected]... mime8to7: recursion level 21 exceeded ... while talking to xxx.xxx.yorku.ca.: >>> DATA <<< 550 This message contains a virus (Sanesecurity.Junk.22572.UNOFFICIAL). 554 5.0.0 Service unavailable --nB363wMT017367.1259820238/xx.xxx.ca Content-Type: message/delivery-status Reporting-MTA: dns; xx.xxx.ca Arrival-Date: Thu, 3 Dec 2009 01:02:07 -0500 (EST) ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
