How Well are Your Servers Handling MyDoom? 81
whosyourgeekdaddy asks: "A co-worker was showing me some of the usage stats for a clients exchange server: its averaging 630 users, and 300,000 emails per day, for the last 4 days. This made me want to ask how heavy is the workload for your 'average' Exchange server? Is this typical? MyDoom has upped the usage some, but not a lot. This client is a real estate company, so e-mail is frequently used." Of course, Exchange servers aren't the only ones feeling MyDoom. What kind of statistics have you been seeing from MyDoom, both as a user and as an administrator?
Not a Problem (Score:4, Informative)
11096
All rejected at SMTP time, not mindlessly bounced after the fact.
My server isn't even feeling it.
Way less than yours, so even less a problem (Score:1)
Same here, although I've had quite a bit less traffic that you:
My personal domain is an "MCI network" (friends and family), and I only have 5 users. They all use Windows, so I'm happy to keep them shielded from recent trouble. It's been quiet for them.
I happened to be talking to one guy who gets mail from me (we see each other infrequently) and offhandedly asked how he was coping with the MyDoom problem. He didn't
Re:Way less than yours, so even less a problem (Score:2)
Re:Way less than yours, so even less a problem (Score:1)
BTW, I'm up to 269 emails caught. Seems to be picking up steam...
-B
Re:Not a Problem (Score:2)
Frist (Score:2)
Tim
Same here (Score:2)
Re:Same here (Score:2)
Tim
500 mails a day? (Score:2, Insightful)
Seriously, half an hour of internet usage training 2-3 times a year can halve your bandwidth requirements.
(p.s. -- Don't mod me up. I'll only use the karma to troll at +2 later.)
Business as usual (Score:2)
It took my baesian filter a few to learn to recognize it, since then I'm not affected by it in any way. Of course, I'm not exactly a big Windows user either....
For the record (Score:5, Insightful)
Re:For the record (Score:1)
Users got around 3 or 4 instances of the worm, and I got all of the bad address bounces - maybe a dozen or so.
Thanks guys. (Score:4, Funny)
Thanks.
Re:Thanks guys. (Score:2, Interesting)
Same goes to the Exim, Exiscan, and Clamav authors.
I woke this morning with an e-mail saying the Clamav signature DB was updated, then had a look at my Exim reject logs to see if it was rejecting Mydoom. Sure was, at that time about 2000 of them since midnight.
Re:Thanks guys. (Score:2)
Re:Thanks guys. (Score:1)
In addition to that, I am now blocking anything which an attachment named
message.zip
document.zip
file.zip
data.zip
etc....... for whatever the virus uses.
If it got too bad, I'd put a virus scan on all incoming emails, but procmail rules seem to work fine.
No worries.
Re:Thanks guys. (Score:2)
User... (Score:2, Interesting)
Once I logged into the e-mail account, I noticed it was a little spammy, but that was to be expected. AOL/Netscape was generous though and gave me a one hundred megabyte POP3 e-mail account.
However, yesterday evening, I noticed an influx of about *2,000* e-mails in about a four hour period. All were related to MyDoom, either with the virus attached or bounces due to forged "from"
sysadmins (Score:1)
Well... (Score:2)
Other than that, the servers are handling it better than the staff. I had to take my phone off the hook to get some work done investigating the problem on the server.
well... (Score:5, Insightful)
Mod Up! (Score:2)
Just noticed you used Antigen, like us. Great product and as the parent notes, it will look inside archives as well. Check it out..from www.sybari.com.
Handling it just fine. (Score:1, Informative)
Granted, it's not even turned on, but it *is* handling things just fine.
Eagerly awaiting +5, Informative.
Re:Handling it just fine. (Score:2)
Report... (Score:5, Funny)
Just kidding, lawyers.
Reasonably well, for now (Score:2, Informative)
In the first 24 hours we blocked about 66,000 instances of this beast, and were continuing to recieve them at about 3000 - 5000 per hour as of 1700 PST.
O
Sounds similar (Score:5, Informative)
One trick which helped ease the burden is that the majority of the emails are coming in with very specific topics: "hi", "hello", "test", "status" and "server report". Added this line to my postfix spamfilter rules and it eased a LOT of the burden immediately:
If you're an administrator out there reading this, for the love of whatever god you hold dear TURN OFF YOUR BLOODY VIRUS BOUNCE MESSAGES! I've had as many 'replies' to faked From: headers as virus mails. You're making the problem far worse than it otherwise would be!Re:Sounds similar (Score:2)
Re:Sounds similar (Score:2)
Nothing compared to spam (Score:3, Interesting)
im still waiting (Score:5, Funny)
Re: (Score:2)
I don't know (Score:1)
Mine are handling it pretty well (Score:1)
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
The 1 scanned port on (xx.xx.xx.1) is: closed
The 1 scanned port on (xx.xx.xx.2) is: closed
The 1 scanned port on (xx.xx.xx.255) is: closed
Nmap run completed -- 255 IP addresses (255 hosts up) scanned in 732 seconds
The user, experience and self-infection (Score:2, Insightful)
I notice a steady flow of anti-microsoft commentary when an outbreak such as this occurs. Remember... it was the user (is luser appropriate here?), and not microsoft that "stuck the needle in their arms."
During times like this - I think back to the amount of times I've ever gotten infected by a virus... none, I've never used AV software and probably never will - I just don't have a need, just like many other slashdotters.
Re:The user, experience and self-infection (Score:2)
This was a social engineering attack. The main reason it worked was a) the message itself was believable and b) Outlook does a really shitty job of rendering attachments.
All you really need to add to Outlook to stop these things from working quite so well is a red flashing light next to the unsafe file so that even with a double-encoded extension, very long filename, or whatever other trick an attacker may use it is clear that you shouldn't open/execute that file.
The thing is, user training can only
Re:The user, experience and self-infection (Score:2)
How about a nice dialog that pops up when the user tries to run the attachment, warning them it's a bad idea and defaulting to "not run" ?
Re:The user, experience and self-infection (Score:2)
Re:The user, experience and self-infection (Score:1)
Throw a number in that warning and their eyes instantly glaze over. 50% Chance that this also causes confusion and/or fear.
95% chance that no matter how long they sit there and stare at whatever pops up, they take no actiona to figure out what it actually is trying to tell them and they ignore it or click whatever button their mouse is closest to.
Use the same icon in
Re:The user, experience and self-infection (Score:1)
Outlook hasn't been suceptible for years. It's just that people are still running versions of OE and outlook that are 4 versions old and never updated them.
Re:The user, experience and self-infection (Score:2)
Not a bug, but a nice feature, would be to have any executable attachment pop up a dialog that says "Do you really want to run this thing, it is probably a destructive virus. Do not run unless you are really certain that you trust
Re:The user, experience and self-infection (Score:1)
The code _should_ be separated.
Attachment type is identified by its MIME Content-Type, that's enough.
Come on, the dialog would be buggy too.
Re:The user, experience and self-infection (Score:1)
Until recently I could've said the same thing. I used to be primarily a windows 98 user, and now primarily use Linux (with a single win2k box at work). I figured you'd have to be stupid to be infected with anything - just keep your patches up to date and don't open attachments.
Unfortunately WindowsUpdate claimed that I was all patched up when Nachi came by (but it was a lying POS). I e
Doin ok (Score:2)
Now, the mail list I moderate on - that's another thing. From 6pm to 12am I've received roughly 3000 emails - and 5 where legit. MOST of them where those damn Anti-virus "Your email has a virus" bounce messages. I swear they are the work of evil. There needs to be a switch on
Re:I think IT management needs to be proactive! (Score:1)
"Hey, I've gotten like 10 emails in the last hour, all with Zip files and I can't open the attachments!"
*shrug*
Re:I think IT management needs to be proactive! (Score:1)
hmmm (Score:2)
Re:hmmm (Score:2)
Two. (Score:1)
But I wonder, what solutions do people use to filter viruses? I use postfix/procmail right now... Adding a virus scan to that wouldn't hurt
Re:Two. (Score:1)
Re:Two. (Score:1)
Barely felt it at all here (Score:2)
what virus? (Score:1)
Make that more... (Score:1)
No direct ill effects. (Score:1)
McAfee Antivirus is showing about 5% of our inbound email is infected, though I haven't dug into specifics of which viruses. McAfee SpamKiller is spitting out about another 40% as spam.
Daily email count averages 6-10k
The most annoying bit about MyDoom is that we're getting a bunch of "you sent us an infected email!" messages because of the fake "from" address.
As a client, (Score:2)
However I now get notification failures and bounces of people whom must have received the virus with a forged sender address (mine).
Eh? (Score:2)
Usage is way up... (Score:1)
I got one mydooms, looks like it was a bounce from another idiot admin who sends replies to the forged email header instead of just dropping it.
Granted my mail server is just for my wife and I, so it isn't like we get a whole ton of email anyways compared to a business.
Mirapoint handles it well (Score:1)
If this load had hit our old servers we would have been waiting a week to get any legitimate mail through!
Our Results (Score:2)
(780 Email accounts few mailing lists.. Qmail+vpopmail+qmailscanner+clamav)
500Kbps more bandwidth being used by the mailserver.. Avg is 12kbps most times..
Were blocking all normal virii attachment
Robust mail system, no problem. (Score:3, Informative)
Yesterday, we made the usual 40k deliveries, but additionally rejected 52k messages, most due to the Mydoom outbreak. Over 29k of those rejections were "user unknown"; 13.6k were based on the strings found in the body of Mydoom messages, and 3k were based on our general policy of rejecting EXE attachments based on the Base-64-encoded MZ header.
All spam rejections (including SPEWS and Spamhaus SBL-XBL, plus content filters) totaled only 11% of total rejections.
Maximum load average was around 2. Our mail system is deliberately overengineered, to provide "utility grade" reliability even under load a lot higher than this worm. (Think "mailbomb".) In fact, given how crappy the electrical service is here, I'd say we do rather better than "utility grade".
warnings and bounces (Score:2)
Rather pissed off at Windows lusers right about now....
Univ. mail server smoking (Score:1)
It's taken them over a day to start blocking it. Of course, this is the same IT "Services" that has every single incoming port either ghosted or blocked at an enormous firewall. File sharing is blocked in any direction, and the only outgoing ports ope
Personnal hits (Score:2)
Tuesday 82
Wednesday 79
I know I should get a new address but I've had this one a long time.
This mass mailer definately beats all the other viruses in terms of numbers in my inbox.
13,000 copies yesterday (Score:1)
The worm forges an email FROM a randomish username at a randomly-selected domain TO a
my server (Score:1)
Total Emails 1/27/04: 5526 (that's about double our average)
MyDoom infected messages 1/27/04: 1515 (Ouch!)
However performance hasn't degraded much overall, I only notice it because I'm the dork that monitors the damn thing... end users aren't feeling a thing.
My costs in defending against the MyDoom virus (Score:1)