Operating System - HP-UX
1823949 Members
3555 Online
109667 Solutions
New Discussion юеВ

w32\sobig impact on mail servers, clients

 
W.C. Epperson
Trusted Contributor

w32\sobig impact on mail servers, clients

Are there any discussions around here about managing the mail server problems from w32\Sobig-F? I can't find any. Virus scanning is pretty cut and dried, but one thing that's curious is that I don't see anyone talking about the side-effect problem of clueless virus scanners sending messages back to the forged From: addresses. I picked off 66,000 of those from 1:00 pm to 10:00pm yesterday, along with 83,000 copies of the virus itself. I normally process about 20-25,000 messages a day. If I weren't removing them from the spool continuously, this would amount to a denial of service because people would have to wade through 3-4 times their normal mail volume to find their "real" mail.
"I have great faith in fools; self-confidence, my friends call it." --Poe
6 REPLIES 6
Pete Randall
Outstanding Contributor

Re: w32\sobig impact on mail servers, clients

W.C.

I think you've probably pretty well summed it up! Is there anything else you'd like to discuss about it?

;^)


Pete


Pete
W.C. Epperson
Trusted Contributor

Re: w32\sobig impact on mail servers, clients

Remember to take that tongue out of your cheek while you're chewing your lunch, Pete. ;)

I'm interested in whether my experience with this is in proportion to what others have seen, how much impact the "side-effect" messages have had (imagine sending notifications to "From:" addresses on virus messages--they've been 99% forged for a year or two), and what kinds of techniques have been used to manage the side effects. I have a rather ham-handed script that looks for the tell-tale "Re: blah-blah" subject lines in the queue and whisks them to quarantine once per minute. Since I'm also running Sophos mailscanner, there's enough of a delay between sendmail sweeps that I catch most of them.
"I have great faith in fools; self-confidence, my friends call it." --Poe
Geoff Wild
Honored Contributor

Re: w32\sobig impact on mail servers, clients

I get a lot as well...

For forgeries, add this to your sendmail.cf:

SIsYahoo
R$* yahoo.com $* $@ OK
R$* $#error $: "550 Access Denied. Forgeries are disallowed."


SLocal_check_mail
R$* yahoo.com $* $: $>IsYahoo $&{client_name}


Do that for all you want...see attachment for mine.


Rgds...Geoff


Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Geoff Wild
Honored Contributor

Re: w32\sobig impact on mail servers, clients

What I hate more then anything, is the bonehead spammers performing dictioanry like attacks trying to guess email addresses....they relay through open relays with nothing in the "from" field:

Aug 21 10:38:40 myserver1 sendmail[19313]: h7LHceVQ019313: ruleset=check_rcpt, arg1=, relay=pop1.mail.iamworld.net [204.91.241.67], reject=553 5.0.0 ... reject....
Aug 21 10:38:40 myserver1 sendmail[19313]: h7LHceVQ019313: from=<>, size=3106, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=pop1.mail.iamworld.net [204.91.241.67]

I reject all email sent to my domain except for those id's that do exist....

Problem is, it's against the RFC to block from=<>

Sigh....meanwhile, my server wastes cpu cycles....

Rgds...Geoff


Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Pete Randall
Outstanding Contributor

Re: w32\sobig impact on mail servers, clients

W.C.,

Interestingly enough, I usually end up biting my cheek far more than my tongue. Go figure!

I'm somewhat removed from the whole mail process - my network boys have that little bundle of joy to deal with. I can tell you that they run Lotus Notes/Domino and have a dedicated server (running the whole Sweeper suite from Content Technologies) that filters and virus scans everything. My network guy said "about 150 per day this week". Makes me wonder why his count is so much lower than yours.


Pete


Pete
W.C. Epperson
Trusted Contributor

Re: w32\sobig impact on mail servers, clients

Pete,

I don't know about your scaling, but we have about 8500 e-mail accounts. On a normal day, I'll have about 200-500 virus "hits" on 20-25K received messages, and reject an additional 5-7K messages for spam characteristics, not counted in the 20-25K.

What's astonished me is the number of mail/firewall admins who have their virus scanners to send notifications to what are almost certainly forged addresses. Glad you have "network boys" to handle this for you--I'm the manager, chief technical architect, and lead mental health counselor for 10 people who support everything from desktops to the servers to the ATM switches. And, unfortunately, I understand the TCP/IP application layer protocols and their relationships better than any of them, so I generally end up doing the ad hoc mail combat in a situation like this.
"I have great faith in fools; self-confidence, my friends call it." --Poe