Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

How Well are Your Servers Handling MyDoom?

Posted by Cliff on Tue Jan 27, 2004 11:04 PM
from the preventing-the-meltdown dept.
Bug Microsoft
whosyourgeekdaddy asks: "A co-worker was showing me some of the usage stats for a clients exchange server: its averaging 630 users, and 300,000 emails per day, for the last 4 days. This made me want to ask how heavy is the workload for your 'average' Exchange server? Is this typical? MyDoom has upped the usage some, but not a lot. This client is a real estate company, so e-mail is frequently used." Of course, Exchange servers aren't the only ones feeling MyDoom. What kind of statistics have you been seeing from MyDoom, both as a user and as an administrator?
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

How Well are Your Servers Handling MyDoom? 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Not a Problem (Score:4, Informative)

    by Neon Spiral Injector (21234) * on Tuesday January 27 2004, @11:06PM (#8109047) Homepage
    grep "X-Infected: W32/Mydoom.A@mm" rejectlog* | wc -l
    11096

    All rejected at SMTP time, not mindlessly bounced after the fact.

    My server isn't even feeling it.
  • I see that today I got three MyDoom e-mails on my older account and none on my newer account.

    Tim
  • If you're getting 500 emails a day, either the entirity of your staff is subscribed to lkml and debian-user, or you've got a staff that hasn't been trained not to plug their damned mail address into every last fucking form field in sight.

    Seriously, half an hour of internet usage training 2-3 times a year can halve your bandwidth requirements.

    (p.s. -- Don't mod me up. I'll only use the karma to troll at +2 later.)

  • According to my spammeter [ispol.com] it barely made a dent in the sea of spam I'm getting these days.

    It took my baesian filter a few to learn to recognize it, since then I'm not affected by it in any way. Of course, I'm not exactly a big Windows user either....

  • For the record (Score:5, Insightful)

    by jeffasselin (566598) <cormacolinde@Nospam.gmail.com> on Tuesday January 27 2004, @11:07PM (#8109057) Journal
    We have about 50 users, we got around 200 viruses in the first 18 hours.

  • Thanks guys. (Score:4, Funny)

    by reaper20 (23396) on Tuesday January 27 2004, @11:08PM (#8109069) Homepage
    Spamassassin, postfix, and procmail developers - I sit here at home with a beer whilst my Exchange colleagues want to kill themselves right about now.

    Thanks.
    • Hear hear!

      Same goes to the Exim, Exiscan, and Clamav authors.

      I woke this morning with an e-mail saying the Clamav signature DB was updated, then had a look at my Exim reject logs to see if it was rejecting Mydoom. Sure was, at that time about 2000 of them since midnight.
    • Would you care to share your formulation of rules that block this particular virus? I don't want to simply stop .zip file attachments, nor can I stop this virus based on sender, subject (especially), or size, since they're all variable. In short, I don't know where to start.
      • Would you care to share your formulation of rules that block this particular virus?
        F-prot scans inside zip files, as do many others - the clamav web page says it does too. I just use MailScanner and get it to call f-prot as a virus scanner, but it can call a whole lot of others, as can most of the mail filtering software out there.
  • I won the recent Netscape auction [ebay.com] for the Jack at netscape dot com e-mail address and a "free" year's worth of dial-up access.

    Once I logged into the e-mail account, I noticed it was a little spammy, but that was to be expected. AOL/Netscape was generous though and gave me a one hundred megabyte POP3 e-mail account.

    However, yesterday evening, I noticed an influx of about *2,000* e-mails in about a four hour period. All were related to MyDoom, either with the virus attached or bounces due to forged "from"

  • What makes this worse is all the virus emails that are sent back to the (spoofed) senders by sysadmins. This practice just multiplys the problem and puts evin more strain on the email servers.
  • We've discovered that the anti-virus engine that supposed to be scanning email isn't working properly. Suspect file extensions sill cause the attachment to be nuked, but I haven't been able to cause an alert with either a zipped virus or, say, a file with a .xls extension.

    Other than that, the servers are handling it better than the staff. I had to take my phone off the hook to get some work done investigating the problem on the server.

  • well... (Score:5, Insightful)

    by drakaan (688386) on Tuesday January 27 2004, @11:19PM (#8109170) Homepage Journal
    since I don't allow in attachments that end in .pif .exe .scr .com or .bat (including zipped ones...thank you antigen), there have been precisely zero delivered to anybody's inboxes.
    • Same here. We were filtering this before any AV updates were available. File filtering will save you far more often than updated AV software (which we use also).

      Just noticed you used Antigen, like us. Great product and as the parent notes, it will look inside archives as well. Check it out..from www.sybari.com.
  • My 90MHz pentium is handling it just fine. Via dial-up.

    Granted, it's not even turned on, but it *is* handling things just fine.

    Eagerly awaiting +5, Informative.

  • Report... (Score:5, Funny)

    by eyeball (17206) on Tuesday January 27 2004, @11:49PM (#8109406) Homepage Journal
    "How Well are Your Servers Handling MyDoom?" Pretty well. We're thinking of adding another cluster.

    Just kidding, lawyers.
  • Our main virus/spam scanning machines are handling it pretty well. We're seeing some increased processor utilisation, but... This is for a site that serves probably 70,000 users, many of whom are, uh, less than careful with their addresses. On a typical day, we process somewhere around 300,000 messages (depending on how frisky the spammers are feeling).

    In the first 24 hours we blocked about 66,000 instances of this beast, and were continuing to recieve them at about 3000 - 5000 per hour as of 1700 PST.

    O

    • Sounds similar (Score:5, Informative)

      by Rick Franchuk (1324) on Wednesday January 28 2004, @01:04AM (#8109891) Journal
      Unfortunately I was caught working on another project, and the serious inflow came between 'freshclam' updates... inside that 12 hour spam we ended up with about 40,000 of the things clogging up the works and god only knows how many untold thousands dropped on the front end. After getting the update in and cleaning out the garbage we're getting several thousand an hour, but the server barely notices it.

      One trick which helped ease the burden is that the majority of the emails are coming in with very specific topics: "hi", "hello", "test", "status" and "server report". Added this line to my postfix spamfilter rules and it eased a LOT of the burden immediately:

      /Subject:.*(hi|hello|test|status|server report)$/ REJECT 550 Your email has the subject of an Worm.SCO.A viral message. Change your
      subject and resend.
      If you're an administrator out there reading this, for the love of whatever god you hold dear TURN OFF YOUR BLOODY VIRUS BOUNCE MESSAGES! I've had as many 'replies' to faked From: headers as virus mails. You're making the problem far worse than it otherwise would be!
      • Why don't you bounce them back, teach them a thing or two? If they don't notice it why should they change anything.
        • Because I'd rather be part of the solution than part of the problem. As it is I sort of AM bouncing them back, de facto:
          1. Virus mail spoofs a nonexistant from: address on my domain, sends it to server 'x'.
          2. Server 'x' bounces the mail to the nonexistant From: with a 'this is a virus, bad bad bad' message. Maybe it also adds the virus itself into the message (yes, some do this!) and mangles it just enough that clamav won't detect it on my side.
          3. My server receives the unfortunately now-legitimate mail and dur

  • Nothing compared to spam (Score:3, Interesting)

    by hords (619030) on Wednesday January 28 2004, @12:05AM (#8109535)
    I'm a mail/systems administrator at a small/medium sized ISP. This virus is nothing compared to the onslaught of spam we get. >2 million total messages a day and blocking >1.6 million due to spam. Our virus filter is taking them out no problem, and no we aren't bouncing it =)

  • im still waiting (Score:5, Funny)

    by CptChipJew (301983) * <michaelmiller AT gmail DOT com> on Wednesday January 28 2004, @12:06AM (#8109540) Homepage Journal
    For MyDoom 3, and its starting to feel like its never going to come out.
  • "A co-worker was showing me some of the usage stats for a clients exchange server: its averaging 630 users, and 300,000 emails per day, for the last 4 days"

    im slightly off topic here, but wow. thats scary. i dont know about anyone else, but i wouldnt feel comfortable with my company's exchange server directly connected to the internet like that. we have a content-filtering smtp relay in our dmz to take the brunt of crap like this. we block email with potentially dangerous attachments and viruses befo
  • I think you should ask SCO about theirs. :)
  • #nmap -P0 -p 25 xx.xx.xx.0/24

    Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
    The 1 scanned port on (xx.xx.xx.1) is: closed
    The 1 scanned port on (xx.xx.xx.2) is: closed
    ....
    The 1 scanned port on (xx.xx.xx.255) is: closed

    Nmap run completed -- 255 IP addresses (255 hosts up) scanned in 732 seconds
  • Reminds me of that dell commercial where users had to go through computer boot camp.

    I notice a steady flow of anti-microsoft commentary when an outbreak such as this occurs. Remember... it was the user (is luser appropriate here?), and not microsoft that "stuck the needle in their arms."

    During times like this - I think back to the amount of times I've ever gotten infected by a virus... none, I've never used AV software and probably never will - I just don't have a need, just like many other slashdotters.
    • No.

      This was a social engineering attack. The main reason it worked was a) the message itself was believable and b) Outlook does a really shitty job of rendering attachments.

      All you really need to add to Outlook to stop these things from working quite so well is a red flashing light next to the unsafe file so that even with a double-encoded extension, very long filename, or whatever other trick an attacker may use it is clear that you shouldn't open/execute that file.

      The thing is, user training can only
      • All you really need to add to Outlook to stop these things from working quite so well is a red flashing light next to the unsafe file so that even with a double-encoded extension, very long filename, or whatever other trick an attacker may use it is clear that you shouldn't open/execute that file.

        How about a nice dialog that pops up when the user tries to run the attachment, warning them it's a bad idea and defaulting to "not run" ?

    • Although this is a user problem, Outlook definately has a bug. There is no way that the code that decides how to display the icon for the attachement should be seperated from the code that decides how to "execute" it and thus will display different things. That is a definate bug.

      Not a bug, but a nice feature, would be to have any executable attachment pop up a dialog that says "Do you really want to run this thing, it is probably a destructive virus. Do not run unless you are really certain that you trust
  • I'm using Merak Mail Server [merakmailserver.com], a cheaper better engineered alternative to MS Exchange and haven't had a problem yet. Like the others, it's AV learned about MyDoom and has promptly deleted several thousand emails without a single problem.

    Now, the mail list I moderate on - that's another thing. From 6pm to 12am I've received roughly 3000 emails - and 5 where legit. MOST of them where those damn Anti-virus "Your email has a virus" bounce messages. I swear they are the work of evil. There needs to be a switch on
  • Lots of people are talking about how their spam filters are just automagically filtering it.. Mine isn't - spamassassin. I do have Bayesian enabled, and I have received at least 20 or 30 of them.. I've received a LOT LOT LOT more bounce emails from other places though, regarding it.. grrr.
    • you should use you mail server to filter out attachments with microsoft executables; e.g., mime-header-checks with Postfix. I set this up during the last outbreak, and not even one of the latest virus has gotten through my postfix.
  • I've so far recieved TWO.

    But I wonder, what solutions do people use to filter viruses? I use postfix/procmail right now... Adding a virus scan to that wouldn't hurt :)
  • I'm running sendmail with Mimedefang [mimedefang.org] calling spamassassin and uvscan. This server sits in front of 4 exchange servers and handles incoming and outgoing mail for about 10,000 users. Spamassassin was marking the messages as spam right off the bat. An updated dat file for uvscan came out around 11PM Monday and my cronjob auto-updated it. From around 11PM Monday to 7AM Tuesday we were averaging around 200 per hour. At about 8AM until now that has jumped to about 500 per hour. For a point of reference, we
  • My servers are handling it without a problem... total, I have recieved 5 e-mails with the bounce notice, one with the virus itself. I get less spam every hour.
  • I got about 50 sent to various mailing lists, very few to my email address. This was in the first 4h of the outbreak, because since then our IT dept has implemented the extra signature on the email gateway to detect & strip off the virus and I haven't seen a single one.

    However I now get notification failures and bounces of people whom must have received the virus with a forged sender address (mine).

  • My servers don't care that you're doomed.
  • Due to the virus we've had:

    (780 Email accounts few mailing lists.. Qmail+vpopmail+qmailscanner+clamav)

    500Kbps more bandwidth being used by the mailserver.. Avg is 12kbps most times..

    Were blocking all normal virii attachment .scr .pif .bat .ext but one problem is it's now showing up in zip files dont want to turn on scanning for virii in those becuase of the memory hogging that will ensue and it would force me to serialize scanning of inbound emails but then busy days we'd definately queue up on that end.

  • Robust mail system, no problem. (Score:3, Informative)

    by Frater 219 (1455) on Wednesday January 28 2004, @10:58AM (#8113164) Journal
    Yesterday, we rejected some thousands more emails than we usually process on a weekday. Our mail exchangers -- two Dell PowerEdge 2450s with Debian, Postfix, and SpamAssassin -- usually make between 30k and 45k deliveries each day, and reject between 4500 and 5500 messages as spam.

    Yesterday, we made the usual 40k deliveries, but additionally rejected 52k messages, most due to the Mydoom outbreak. Over 29k of those rejections were "user unknown"; 13.6k were based on the strings found in the body of Mydoom messages, and 3k were based on our general policy of rejecting EXE attachments based on the Base-64-encoded MZ header.

    All spam rejections (including SPEWS and Spamhaus SBL-XBL, plus content filters) totaled only 11% of total rejections.

    Maximum load average was around 2. Our mail system is deliberately overengineered, to provide "utility grade" reliability even under load a lot higher than this worm. (Think "mailbomb".) In fact, given how crappy the electrical service is here, I'd say we do rather better than "utility grade".

  • Got about 50 emails last night containing warnings (you sent a virus from an IP you don't own!) and bounces (you emailed a nonexistant user from an IP you don't own!).

    Rather pissed off at Windows lusers right about now....

  • Monday 22
    Tuesday 82
    Wednesday 79

    I know I should get a new address but I've had this one a long time.

    This mass mailer definately beats all the other viruses in terms of numbers in my inbox.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.