Sobig stats

[Alan Fiebig]

As I mentioned in an earlier email, my MS/SA system appeared to be tagging some Sobig messages as spam, rather than as viruses, due to the content and structure of the message. This was resulting in my system sending out spam rejection notices to faked from addresses.

So, I went ahead and created a SA rule that checks the subject of each message looking for the known Sobig.F subject lines. If it found one, it assigned a large negative score to prevent the message from being tagged as spam. Then the virus scanner could catch it, and as it was listed as a silent virus, no notice would be sent.

Well, I have some interesting results...

My average, pre-Sobig.F virus levels are around 6 viruses caught per hour.
Once Sobig.F started, that level jumped to 11 viruses caught per hour, so Sobig.F by itself was equal to all other viruses combined.

But, remember, that was a false count, since I knew at least SOME Sobig messages were never seen by the virus scanner as they had been rejected as spam. So, now that I was no longer rejecting Sobig messages as spam with my new SA rulset, I wondered how much of an increas I would see in Sobig.F viruses...

The stats are showing that the true Sobig levels my scanner is seeing is not 11 per hour, but 768 per hour! I was shocked at how many I had been rejecting as spam, no wonder people were complaining I was hammering them with rejection notices.

BTW, my MS/SA system handles around 200,000 emails per day, so the above infection rates translate to:
  Pre Sobig:   0.07%
  False Sobig: 0.13%
  True Sobig:  9.00%

-Alan