Sobig afterthoughts

Jeff A. Earickson jaearick at COLBY.EDU
Fri Aug 22 00:17:54 IST 2003 

Hi,

   I too have noticed that certain remote infected machines pound on
my mail server more than others.  I have my system procmail set up
to drop MailScanner's virus reports into /var/mail/v/virii for me.
What I have been doing every few hours to this file is:

grep "^IP Address:" /var/mail/v/virii | sort | uniq -c | sort -nr -k1 | head -20

which gives me a list of virus-sending IP sites, sorted by number of
times sent.  Then I simply add these sites to my ipfilter list, and
block them at port 25.  This is an emergency measure; I don't plan on
blocking these numbers long-term.  I helps somewhat.

Sobig-f first hit our site about 6 AM EST on Tuesday.  One machine
at MIT hit us more than 900 times in the first 4 hours before I
blocked it out!  Yikes.  Thank god MailScanner works so beautifully,
killing pif attachments even before Sophos and Clam put out IDEs for
Sobig-f.  I'm glad we upgraded our server this summer too.

--- Jeff Earickson
    Colby College


On Thu, 21 Aug 2003, Tony Johansson wrote:

> Date: Thu, 21 Aug 2003 21:43:20 +0100
> From: Tony Johansson <tony.johansson at SVENSKAKYRKAN.SE>
> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Sobig afterthoughts
>
> Hello,
>
> While afterthoughts might be misleading as we still get lots of viruses, it
> may still be a appropriate title.
>
> The site I manage normally receive about 10.000 emails per day. With Sobig
> we (so far) have gotten over 50.000 infected messages in about 72 hours. We
> have two MailScanners that both cope with the load with no problems.
> (thanks Julian!)
>
> Now for the thoughts. As we had not problems with incoming email, I didnt
> really dig into where all these viruses came from. Today curiousity got the
> better of me and I did a litte research on the mail logs. While viruses
> came from a wide range of addresses, one particular address was responsible
> for over 10.000 viruses over 48 hours. I checked and it was still active,
> still sending us viruses.
>
> The machine was on a local (Swedish ISP) and was totally exposed to the
> internet, I could even view its netbios name. I was pretty surprised that I
> could "net send" a popup message to the machine, telling the person sitting
> at it that it perhaps would be a good idea to get some anti-virus going. I
> was even more surprised that the machine went offline only seconds after my
> message, evidently someone got the message... The machine hasnt been seen
> since it our mail logs.
>
> Wouldn't it be a good idea to:
> 1. Have an option in MailScanner where you could perform an action
> (ipfilter?/add address to your MTAs access table?/interact with firewall)
> if a single ipaddress sends you say 10 viruses?
>
> 2. Have an option where you could send a SMB message to a ipaddress each
> 10? viruses they send you. This would certainly not get through to most
> senders but the effort against potential win should make it worth it,
> wouldnt it?
>
>
> regards, Tony
>

More information about the MailScanner mailing list