The recent variation of the W32.Sobig virus has caused quite a stir. It’s gotten so bad that “normal” spam is way down as choking email servers try to cope with the deluge of the new virus mail. I’m guessing that “normal” email, the stuff the internet uses for basic communication, is down too.
I’m one of the lucky ones so far (knock on wood). A bunch of them have hit the virus trap at my mail server, but so far the anonymous senders haven’t used my email address in the From: header. Friends and associates haven’t been so lucky. People I know are getting up to 1000 emails per hour hitting their mailboxes from bounces, complaints and other residual that happens when a spammer steals your email address.
Over in the mail-related newsgroup at my domain host, the normally quiet little group (~20 posts per week) has turned overnight into Grand Central Station. A regular poster summed it up in a two-line thread: “Good grief”. A group that normally had a few geeks discussing various ways to implement Spamassassin filtering with procmail and qmail is now filled with hysterical suburbanites begging for some kind of “button” in their domain hosting control panel that can turn Sobig off. Sorry about that. You kind of have to read about setting up filtering. The owner of the web hosting company had this to say yesterday morning:
“Of course, everyone should keep their Windows machines
patched, preferably by installing FreeBSD or Linux.”
That didn’t sit too well with the suburbanite crowd. “We’re paying for email service and we’re not paying for all these viruses!”
In the end, he acknowledged that even though the company didn’t send out Sobig, and even though the company doesn’t even use any kind of Microsoft operating systems, they’d probably get blamed for the virus anyway. So now, when you login to your web-interface control center for your domain, there’s an option to “Click on” that allows filtering for Sobig and stores the suspected virii in an IMAP folder on the server. And they accomplished it in the space of a few hours without deleting any customer email, something they say they’ll never do. Not too shabby, I’d say.
Not too shabby at all. Especially after a smarmy anti-Windows comment.
I’ve only gotten about a half dozen “bounces” from the virus hijacking my e-mail address, but I’ve deleted dozens and dozens of virus-bearing e-mails while they were still on the server. I understand the attachment is around 100 KB, so, yeah, that’s a helluva load to place on e-mail systems.
Surely a pain in the patootie for your average dial up user, for whom procmail and even mailwasher are foreign words. Even if they recognize it as a virus, they have to at least attempt to download it.
But at least it’s “more traditional” in delivery. That damn Blaster worm had me befuddled.
Sat.August.03 @ 18:19:19
The Blaster worm was truly insidious. Apparently it probed netbios ports (135) on thousands of cable subscriber IP addresses and anything open got itself a worm. I helped my sister install Norton Internet Security Pro on her computer the day before the attack began. My mother’s computer had only Zone Alarm installed and she fended off over 400 port 135 attacks per day.
Frontline had a very good look at these worm/virus attacks with an AlQuaeda perspective;
CyberWar.
Sat.August.03 @ 19:07:23