PDA

View Full Version : Anyone getting increased spam or worms



Scott Coffelt
09-09-2003, 11:23 PM
I have loaded all the patches and run all of the virus software, my system is clean, clean, clean... but I still keep getting bunches of emails that I know are part of the sobig.f or whatever else worm.

So, everyday, sometimes multiple times a day, I add the senders to the block sender list. Some get caught, others are new... Heck, just tonight I bet I just dumped 12 emails within the last hour.

What else do I need to be doing to stop this? :mad: :mad: :mad:

Mark Patoka
09-09-2003, 11:28 PM
Yes, I've also noticed a big increase the last two days where previously I hadn't really been hit. Had over 100 just tonite.

Paul Kunkel
09-10-2003, 12:09 AM
But we get no viruses and very little spam. The few are caught by spam filter. There's some nice deals on G4 Macs now that the G5's are out. End your worries! :D

Lee Schierer
09-10-2003, 9:34 AM
About 3 weeks ago I got 50 on two consectutive days. Then nothing until yesterday when I got about a dozen and one more today so far! Virus software nabbed them coming in the door so it is no big deal except you have to delete them!

Aaron Koehl
09-10-2003, 9:35 AM
I have loaded all the patches and run all of the virus software, my system is clean, clean, clean... but I still keep getting bunches of emails that I know are part of the sobig.f or whatever else worm.

So, everyday, sometimes multiple times a day, I add the senders to the block sender list. Some get caught, others are new... Heck, just tonight I bet I just dumped 12 emails within the last hour.

What else do I need to be doing to stop this?

Yes, the Sobig virus is a nasty one for network administrators. It
essentially causes infected computers to send out the virus to every
email address it finds on the system. (Windows sytems only)

This essentially amounts to a denial of service attack, as mail servers are
being inundated with these (albeit small) messages, even filtering them
can somewhat of a problem, filling up logs, etc.

Here are the most common subject lines being sent by the Sobig virus:
Re: Details Re: Approved Re: Re: My details Re: Thank you! Re: That movie Re: Wicked screensaver Re: Your application Thank you! Your detailsOf course, these are loose, as sometimes they include multiple layers
of Re: Re: Re:..

One (somewhat) drastic measure is to apply a blanket filter on these
subject lines/Sobig emails, instantly deleting them. The measure should
also include sending a message back to the sender, notifying them
that their message was not delivered, so that legitimate senders may
have a chance to change the subject lines.
This is best achieved at the network level, and not in the email client.

_Aaron_

Jim Becker
09-10-2003, 10:29 AM
What else do I need to be doing to stop this? :mad: :mad: :mad:

There is nothing you can do about this aside from some form of filtering at the server side as Aaron mentions. I do stop virtually all of these messages from reaching my PC as I screen my email with MailWasher Pro, but I still have to handle them in a sense.

I have a friend who is getting close to 400 of these PER DAY...his business email address is apparently widely distributed and in a bunch of address books on infected machines.

The interesting thing about Sobbig is that it really is designed to be a mechanism for distributing spam...quite effective, I might add.

Brad Schafer
09-10-2003, 11:26 AM
i can't offer much help w/ curing the disease, but i generally am able to avoid most spam by keeping a couple of email addresses. one is a "legitimate" account - i use it for direct communication with people i "know"/trust.

the other is an address i use when a web site requires "registration" of some sort. i haven't been getting any sobig crud in this one, but i do get mail about 5 times a day from "security@microsoft.com" telling me to install the attached (critical) patch.

i scan the junk account once a day and usually mass-delete. the good account almost never gets garbage.

if your ISP allows you to have multiple email addrs (like mine does), you might consider a good/garbage setup.


b

Jim Becker
09-10-2003, 11:43 AM
Brad brings up a good point about creative email account management. I, too, use multiple email addresss. Specifically, I have one I use for shopping or other "registrations" that might be targets for harvesting, as well as some others I use for specific purposes that are trackable.

One thing I've observed is that large ISP accounts are more prone to spam than private domains. Much of the reason for that is the popular technique of just bombarding the world with ever iteration of a potential username for a given ISP domain. As an example, my AT&T account (that I only maintain at this point because I have my father using it and I pay for it so he doesn't have to) is a real spam magnet, despite BrightMail, etc. The reason? Mass emailers are targeting any possible username that has "becker" in it, as well as "your" last name. They just write a program to crank out those email addresses and ignore the bounces for invalid ones. One solution is to use a more cryptic user name, but that's not usually "recommended" by the ISPs when they first sign you up...and changing the primary address on an account is often impossible without closing the account.

I have less of a problem with my private domain. Any spam I get on accounts there is usually from "harvesting" from online postings and folks selling the address when I inadvertently use it to communicate with a vendor, etc. There are ways to mask this on your own web sites, but the spamers are getting more creative at their harvesting anyway. I may actually switch to a form-based email contact arrangement on my own site to totally remove even the "masked" address from my site. I really like the forum system used here at SMC as it prevents harvesting while allowing us all to communicate to folks we "know", too.

As far as the worms and viruses...some of them are being sent to harvested addresses, but the majority seem to be from address books of folks who inadvertently let their computers get infected, sometime by no fault of their own, but usually because they have not taken precautions on a regular, ongoing basis or from opening an attachment that should not have been opened. The PC sellers aren't helping either...a friend of mine just bought a brand new name-brand PC. The Virus protection installed on it was two versions behind (like two years old) and the definitions were dated September 2002. He, not being computer savvy, had no idea why he got a virus on his machine...after all, he had a virus protection program! Sheesh...