It appears that someone is exploiting a php script on one of my domains from multiple geographical locations (mostly from asis - according to the raw access log). They are using some sort of buffer underrun to inject code into the script to send email bombs using smtp via the localhost mail user. Each message has many email addresses in to the to: field, although the messages are not large but it will degrade the performance of the server once several dozen of them have accumulated since exim trys to process them. This causes the CPU to spike and eventually it is difficult to get into WHM or open a SSH shell. Twice now I have had to rapid reboot, login, kill the spawning exim processes, stop the exim service and clear the mail queue. I have corrected the flaw in the offending script, but how can I write an ACL in exim to prevent a message from being sent that has over a certain number addresses listed in the to: field to prevent the messages from entering the queue? Can this be done with mod_security?