Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Bug Microsoft

How Well are Your Servers Handling MyDoom? 81

Posted by Cliff from the preventing-the-meltdown dept.
whosyourgeekdaddy asks: "A co-worker was showing me some of the usage stats for a clients exchange server: its averaging 630 users, and 300,000 emails per day, for the last 4 days. This made me want to ask how heavy is the workload for your 'average' Exchange server? Is this typical? MyDoom has upped the usage some, but not a lot. This client is a real estate company, so e-mail is frequently used." Of course, Exchange servers aren't the only ones feeling MyDoom. What kind of statistics have you been seeing from MyDoom, both as a user and as an administrator?
This discussion has been archived. No new comments can be posted.

How Well are Your Servers Handling MyDoom? More

How Well are Your Servers Handling MyDoom?

Comments Filter:

  • Not a Problem (Score:4, Informative)

    by Neon Spiral Injector ( 21234 ) * on Wednesday January 28, 2004 @12:06AM (#8109047)
    grep "X-Infected: W32/Mydoom.A@mm" rejectlog* | wc -l
    11096

    All rejected at SMTP time, not mindlessly bounced after the fact.

    My server isn't even feeling it.
  • I see that today I got three MyDoom e-mails on my older account and none on my newer account.

    Tim
  • If you're getting 500 emails a day, either the entirity of your staff is subscribed to lkml and debian-user, or you've got a staff that hasn't been trained not to plug their damned mail address into every last fucking form field in sight.

    Seriously, half an hour of internet usage training 2-3 times a year can halve your bandwidth requirements.

    (p.s. -- Don't mod me up. I'll only use the karma to troll at +2 later.)

  • According to my spammeter [ispol.com] it barely made a dent in the sea of spam I'm getting these days.

    It took my baesian filter a few to learn to recognize it, since then I'm not affected by it in any way. Of course, I'm not exactly a big Windows user either....

  • For the record (Score:5, Insightful)

    by jeffasselin ( 566598 ) <cormacolinde@gma ... com minus author> on Wednesday January 28, 2004 @12:07AM (#8109057) Journal
    We have about 50 users, we got around 200 viruses in the first 18 hours.

  • Thanks guys. (Score:4, Funny)

    by reaper20 ( 23396 ) on Wednesday January 28, 2004 @12:08AM (#8109069) Homepage
    Spamassassin, postfix, and procmail developers - I sit here at home with a beer whilst my Exchange colleagues want to kill themselves right about now.

    Thanks.
    • Hear hear!

      Same goes to the Exim, Exiscan, and Clamav authors.

      I woke this morning with an e-mail saying the Clamav signature DB was updated, then had a look at my Exim reject logs to see if it was rejecting Mydoom. Sure was, at that time about 2000 of them since midnight.
    • Would you care to share your formulation of rules that block this particular virus? I don't want to simply stop .zip file attachments, nor can I stop this virus based on sender, subject (especially), or size, since they're all variable. In short, I don't know where to start.
      • You should already be blocking any attachments with a .pif, .scr, .cmd, .bat extension. Probably also .exe, or at least munge the name so you can't easily execute it.

        In addition to that, I am now blocking anything which an attachment named :
        message.zip
        document.zip
        file.zip
        data.zip

        etc....... for whatever the virus uses.

        If it got too bad, I'd put a virus scan on all incoming emails, but procmail rules seem to work fine.

        No worries.
      • Would you care to share your formulation of rules that block this particular virus?
        F-prot scans inside zip files, as do many others - the clamav web page says it does too. I just use MailScanner and get it to call f-prot as a virus scanner, but it can call a whole lot of others, as can most of the mail filtering software out there.

  • User... (Score:2, Interesting)

    by Jack Comics ( 631233 ) *
    I won the recent Netscape auction [ebay.com] for the Jack at netscape dot com e-mail address and a "free" year's worth of dial-up access.

    Once I logged into the e-mail account, I noticed it was a little spammy, but that was to be expected. AOL/Netscape was generous though and gave me a one hundred megabyte POP3 e-mail account.

    However, yesterday evening, I noticed an influx of about *2,000* e-mails in about a four hour period. All were related to MyDoom, either with the virus attached or bounces due to forged "from"

  • What makes this worse is all the virus emails that are sent back to the (spoofed) senders by sysadmins. This practice just multiplys the problem and puts evin more strain on the email servers.
  • We've discovered that the anti-virus engine that supposed to be scanning email isn't working properly. Suspect file extensions sill cause the attachment to be nuked, but I haven't been able to cause an alert with either a zipped virus or, say, a file with a .xls extension.

    Other than that, the servers are handling it better than the staff. I had to take my phone off the hook to get some work done investigating the problem on the server.

  • well... (Score:5, Insightful)

    by drakaan ( 688386 ) on Wednesday January 28, 2004 @12:19AM (#8109170) Homepage Journal
    since I don't allow in attachments that end in .pif .exe .scr .com or .bat (including zipped ones...thank you antigen), there have been precisely zero delivered to anybody's inboxes.
    • Same here. We were filtering this before any AV updates were available. File filtering will save you far more often than updated AV software (which we use also).

      Just noticed you used Antigen, like us. Great product and as the parent notes, it will look inside archives as well. Check it out..from www.sybari.com.
  • My 90MHz pentium is handling it just fine. Via dial-up.

    Granted, it's not even turned on, but it *is* handling things just fine.

    Eagerly awaiting +5, Informative.

  • Report... (Score:5, Funny)

    by eyeball ( 17206 ) on Wednesday January 28, 2004 @12:49AM (#8109406) Journal
    "How Well are Your Servers Handling MyDoom?" Pretty well. We're thinking of adding another cluster.

    Just kidding, lawyers.

  • Reasonably well, for now (Score:2, Informative)

    by named ( 3909 )
    Our main virus/spam scanning machines are handling it pretty well. We're seeing some increased processor utilisation, but... This is for a site that serves probably 70,000 users, many of whom are, uh, less than careful with their addresses. On a typical day, we process somewhere around 300,000 messages (depending on how frisky the spammers are feeling).

    In the first 24 hours we blocked about 66,000 instances of this beast, and were continuing to recieve them at about 3000 - 5000 per hour as of 1700 PST.

    O

    • Sounds similar (Score:5, Informative)

      by Chemical Serenity ( 1324 ) on Wednesday January 28, 2004 @02:04AM (#8109891) Homepage Journal
      Unfortunately I was caught working on another project, and the serious inflow came between 'freshclam' updates... inside that 12 hour spam we ended up with about 40,000 of the things clogging up the works and god only knows how many untold thousands dropped on the front end. After getting the update in and cleaning out the garbage we're getting several thousand an hour, but the server barely notices it.

      One trick which helped ease the burden is that the majority of the emails are coming in with very specific topics: "hi", "hello", "test", "status" and "server report". Added this line to my postfix spamfilter rules and it eased a LOT of the burden immediately:

      /Subject:.*(hi|hello|test|status|server report)$/ REJECT 550 Your email has the subject of an Worm.SCO.A viral message. Change your
      subject and resend.
      If you're an administrator out there reading this, for the love of whatever god you hold dear TURN OFF YOUR BLOODY VIRUS BOUNCE MESSAGES! I've had as many 'replies' to faked From: headers as virus mails. You're making the problem far worse than it otherwise would be!
      • Why don't you bounce them back, teach them a thing or two? If they don't notice it why should they change anything.
        • Because I'd rather be part of the solution than part of the problem. As it is I sort of AM bouncing them back, de facto:
          1. Virus mail spoofs a nonexistant from: address on my domain, sends it to server 'x'.
          2. Server 'x' bounces the mail to the nonexistant From: with a 'this is a virus, bad bad bad' message. Maybe it also adds the virus itself into the message (yes, some do this!) and mangles it just enough that clamav won't detect it on my side.
          3. My server receives the unfortunately now-legitimate mail and dur

  • Nothing compared to spam (Score:3, Interesting)

    by hords ( 619030 ) on Wednesday January 28, 2004 @01:05AM (#8109535)
    I'm a mail/systems administrator at a small/medium sized ISP. This virus is nothing compared to the onslaught of spam we get. >2 million total messages a day and blocking >1.6 million due to spam. Our virus filter is taking them out no problem, and no we aren't bouncing it =)

  • im still waiting (Score:5, Funny)

    by CptChipJew ( 301983 ) * <michaelmiller@gmail . c om> on Wednesday January 28, 2004 @01:06AM (#8109540) Journal
    For MyDoom 3, and its starting to feel like its never going to come out.
  • Comment removed based on user account deletion
  • I think you should ask SCO about theirs. :)
  • #nmap -P0 -p 25 xx.xx.xx.0/24

    Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
    The 1 scanned port on (xx.xx.xx.1) is: closed
    The 1 scanned port on (xx.xx.xx.2) is: closed
    ....
    The 1 scanned port on (xx.xx.xx.255) is: closed

    Nmap run completed -- 255 IP addresses (255 hosts up) scanned in 732 seconds
  • Reminds me of that dell commercial where users had to go through computer boot camp.

    I notice a steady flow of anti-microsoft commentary when an outbreak such as this occurs. Remember... it was the user (is luser appropriate here?), and not microsoft that "stuck the needle in their arms."

    During times like this - I think back to the amount of times I've ever gotten infected by a virus... none, I've never used AV software and probably never will - I just don't have a need, just like many other slashdotters.
    • No.

      This was a social engineering attack. The main reason it worked was a) the message itself was believable and b) Outlook does a really shitty job of rendering attachments.

      All you really need to add to Outlook to stop these things from working quite so well is a red flashing light next to the unsafe file so that even with a double-encoded extension, very long filename, or whatever other trick an attacker may use it is clear that you shouldn't open/execute that file.

      The thing is, user training can only
      • All you really need to add to Outlook to stop these things from working quite so well is a red flashing light next to the unsafe file so that even with a double-encoded extension, very long filename, or whatever other trick an attacker may use it is clear that you shouldn't open/execute that file.

        How about a nice dialog that pops up when the user tries to run the attachment, warning them it's a bad idea and defaulting to "not run" ?

        • Users tend to ignore dialogs which pop up asking them for permission. Making something that is dangerous *look* dangerous is probably better, HCI-wise, than asking for permission when the user has already made up their mind that they want to see inside that file.
          • Users tend to ignore EVERYTHING that isn't directly related to "what I want this stupid machine to do" and is more than about 7 words long.

            Throw a number in that warning and their eyes instantly glaze over. 50% Chance that this also causes confusion and/or fear.

            95% chance that no matter how long they sit there and stare at whatever pops up, they take no actiona to figure out what it actually is trying to tell them and they ignore it or click whatever button their mouse is closest to.

            Use the same icon in
      • You mean like this? [995.ca]

        Outlook hasn't been suceptible for years. It's just that people are still running versions of OE and outlook that are 4 versions old and never updated them.
    • Although this is a user problem, Outlook definately has a bug. There is no way that the code that decides how to display the icon for the attachement should be seperated from the code that decides how to "execute" it and thus will display different things. That is a definate bug.

      Not a bug, but a nice feature, would be to have any executable attachment pop up a dialog that says "Do you really want to run this thing, it is probably a destructive virus. Do not run unless you are really certain that you trust

      • There is no way that the code that decides how to display the icon for the attachement should be seperated from the code that decides how to "execute" it and thus will display different things.

        The code _should_ be separated.
        Attachment type is identified by its MIME Content-Type, that's enough.

        Not a bug, but a nice feature, would be to have any executable attachment pop up a dialog

        Come on, the dialog would be buggy too.

    • > I've never used AV software and probably never will - I just don't have a need, just like many other slashdotters.

      Until recently I could've said the same thing. I used to be primarily a windows 98 user, and now primarily use Linux (with a single win2k box at work). I figured you'd have to be stupid to be infected with anything - just keep your patches up to date and don't open attachments.

      Unfortunately WindowsUpdate claimed that I was all patched up when Nachi came by (but it was a lying POS). I e
  • I'm using Merak Mail Server [merakmailserver.com], a cheaper better engineered alternative to MS Exchange and haven't had a problem yet. Like the others, it's AV learned about MyDoom and has promptly deleted several thousand emails without a single problem.

    Now, the mail list I moderate on - that's another thing. From 6pm to 12am I've received roughly 3000 emails - and 5 where legit. MOST of them where those damn Anti-virus "Your email has a virus" bounce messages. I swear they are the work of evil. There needs to be a switch on

  • hmmm (Score:2)

    by XO ( 250276 )
    Lots of people are talking about how their spam filters are just automagically filtering it.. Mine isn't - spamassassin. I do have Bayesian enabled, and I have received at least 20 or 30 of them.. I've received a LOT LOT LOT more bounce emails from other places though, regarding it.. grrr.
    • you should use you mail server to filter out attachments with microsoft executables; e.g., mime-header-checks with Postfix. I set this up during the last outbreak, and not even one of the latest virus has gotten through my postfix.

  • Two. (Score:1)

    by repvik ( 96666 )
    I've so far recieved TWO.

    But I wonder, what solutions do people use to filter viruses? I use postfix/procmail right now... Adding a virus scan to that wouldn't hurt :)
    • A no brainer is a little procmail script. Can't remember the source:
      :0 B
      * ^ *Content-Disposition: attachment;
      * filename=".*\.(vbs|vsf|vbe|wsh|hta|scr|pif|com|exe |shs|bat|bas|scr|wav|eml|dll)"
      microsoftjunk
      Change 'microsoftjunk' to wherever you want to send files with the above attachments. Now that I think about it, I'm switching mine to /dev/null.
  • I'm running sendmail with Mimedefang [mimedefang.org] calling spamassassin and uvscan. This server sits in front of 4 exchange servers and handles incoming and outgoing mail for about 10,000 users. Spamassassin was marking the messages as spam right off the bat. An updated dat file for uvscan came out around 11PM Monday and my cronjob auto-updated it. From around 11PM Monday to 7AM Tuesday we were averaging around 200 per hour. At about 8AM until now that has jumped to about 500 per hour. For a point of reference, we
  • My servers are handling it without a problem... total, I have recieved 5 e-mails with the bounce notice, one with the virus itself. I get less spam every hour.
  • I've got 200 mailboxes on 4 servers (most on one server at head office, a few scattered in branches across a WAN).

    McAfee Antivirus is showing about 5% of our inbound email is infected, though I haven't dug into specifics of which viruses. McAfee SpamKiller is spitting out about another 40% as spam.

    Daily email count averages 6-10k

    The most annoying bit about MyDoom is that we're getting a bunch of "you sent us an infected email!" messages because of the fake "from" address.

  • I got about 50 sent to various mailing lists, very few to my email address. This was in the first 4h of the outbreak, because since then our IT dept has implemented the extra signature on the email gateway to detect & strip off the virus and I haven't seen a single one.

    However I now get notification failures and bounces of people whom must have received the virus with a forged sender address (mine).

  • Eh? (Score:2)

    by Feztaa ( 633745 )
    My servers don't care that you're doomed.
  • </sarcasm>

    I got one mydooms, looks like it was a bounce from another idiot admin who sends replies to the forged email header instead of just dropping it.

    Granted my mail server is just for my wife and I, so it isn't like we get a whole ton of email anyways compared to a business.
  • We have just installed a new Mirapoint [mirapoint.com] mail system. The frontend message router (MD450) handles anti-virus and anti-spam scanning. We started getting hit with MyDoom at at 11am local time (GMT+10) yesterday. So far over 1.5 days we have blocked about 300,000 MyDoom messages. The load on the new Mirapoint message director is minimal. Our normal message load before this was 60-70,000 emails per day.

    If this load had hit our old servers we would have been waiting a week to get any legitimate mail through!
  • Due to the virus we've had:

    (780 Email accounts few mailing lists.. Qmail+vpopmail+qmailscanner+clamav)

    500Kbps more bandwidth being used by the mailserver.. Avg is 12kbps most times..

    Were blocking all normal virii attachment .scr .pif .bat .ext but one problem is it's now showing up in zip files dont want to turn on scanning for virii in those becuase of the memory hogging that will ensue and it would force me to serialize scanning of inbound emails but then busy days we'd definately queue up on that end.

  • Robust mail system, no problem. (Score:3, Informative)

    by Frater 219 ( 1455 ) on Wednesday January 28, 2004 @11:58AM (#8113164) Journal
    Yesterday, we rejected some thousands more emails than we usually process on a weekday. Our mail exchangers -- two Dell PowerEdge 2450s with Debian, Postfix, and SpamAssassin -- usually make between 30k and 45k deliveries each day, and reject between 4500 and 5500 messages as spam.

    Yesterday, we made the usual 40k deliveries, but additionally rejected 52k messages, most due to the Mydoom outbreak. Over 29k of those rejections were "user unknown"; 13.6k were based on the strings found in the body of Mydoom messages, and 3k were based on our general policy of rejecting EXE attachments based on the Base-64-encoded MZ header.

    All spam rejections (including SPEWS and Spamhaus SBL-XBL, plus content filters) totaled only 11% of total rejections.

    Maximum load average was around 2. Our mail system is deliberately overengineered, to provide "utility grade" reliability even under load a lot higher than this worm. (Think "mailbomb".) In fact, given how crappy the electrical service is here, I'd say we do rather better than "utility grade".

  • Got about 50 emails last night containing warnings (you sent a virus from an IP you don't own!) and bounces (you emailed a nonexistant user from an IP you don't own!).

    Rather pissed off at Windows lusers right about now....

  • At my university, the email server has been brought to a grinding halt. Some idiotic administrator with access to the email distribution list (that goes to all the students) opened the virus, and so every student on campus got several emails with the virus.

    It's taken them over a day to start blocking it. Of course, this is the same IT "Services" that has every single incoming port either ghosted or blocked at an enormous firewall. File sharing is blocked in any direction, and the only outgoing ports ope
  • Monday 22
    Tuesday 82
    Wednesday 79

    I know I should get a new address but I've had this one a long time.

    This mass mailer definately beats all the other viruses in terms of numbers in my inbox.
  • I am the webmaster of a computer privacy / security site. One of our most popular downloads is a utility that corrects Windows connection issues caused by adware/spyware that messes with the Winsock stack, aimed at novice users. Thus, the program's readme (containing contact addresses for our site) is sitting on the machines of millions of click-click-execute-happy newbies, AOLers, clueless managers and PHBs, and so forth.

    The worm forges an email FROM a randomish username at a randomly-selected domain TO a
  • Exchange 5.5 running on an old 500MHz Compaq ProLiant 3000
    Total Emails 1/27/04: 5526 (that's about double our average)
    MyDoom infected messages 1/27/04: 1515 (Ouch!)

    However performance hasn't degraded much overall, I only notice it because I'm the dork that monitors the damn thing... end users aren't feeling a thing.

  • 5 minutes of my time telling my users to watch out, which they knew to do anyway.....

Slashdot Top Deals

If you have a procedure with 10 parameters, you probably missed some.

Close