Slashdot Mirror
How Well are Your Servers Handling MyDoom?
whosyourgeekdaddy asks: "A co-worker was showing me some of the usage stats for a clients exchange server: its averaging 630 users, and 300,000 emails per day, for the last 4 days. This made me want to ask how heavy is the workload for your 'average' Exchange server? Is this typical? MyDoom has upped the usage some, but not a lot. This client is a real estate company, so e-mail is frequently used." Of course, Exchange servers aren't the only ones feeling MyDoom. What kind of statistics have you been seeing from MyDoom, both as a user and as an administrator?
grep "X-Infected: W32/Mydoom.A@mm" rejectlog* | wc -l
11096
All rejected at SMTP time, not mindlessly bounced after the fact.
My server isn't even feeling it.
I see that today I got three MyDoom e-mails on my older account and none on my newer account.
Tim
Omnia vestra castrorum habetur nobis.
Seriously, half an hour of internet usage training 2-3 times a year can halve your bandwidth requirements.
(p.s. -- Don't mod me up. I'll only use the karma to troll at +2 later.)
It took my baesian filter a few to learn to recognize it, since then I'm not affected by it in any way. Of course, I'm not exactly a big Windows user either....
We have about 50 users, we got around 200 viruses in the first 18 hours.
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
Spamassassin, postfix, and procmail developers - I sit here at home with a beer whilst my Exchange colleagues want to kill themselves right about now.
Thanks.
Once I logged into the e-mail account, I noticed it was a little spammy, but that was to be expected. AOL/Netscape was generous though and gave me a one hundred megabyte POP3 e-mail account.
However, yesterday evening, I noticed an influx of about *2,000* e-mails in about a four hour period. All were related to MyDoom, either with the virus attached or bounces due to forged "from" addresses. Since then, I've been getting an average of 830 e-mails per *hour*. My Netscape e-mail account has reached the 100 megabyte e-mail quota twice so far, with over 13,000 e-mails each time, and after I clean it out, it starts to fill back up again. There's just no end in sight. The e-mail account is completely useless to me now. I should have known bidding on that auction was a bad idea. :( In the meantime, I've had to make the e-mail account white listed, meaning it now only accepts e-mail from known e-mail addresses, until I can figure out an equitable solution.
"We are all in the gutter, but some of us are looking at the stars." - Oscar Wilde
What makes this worse is all the virus emails that are sent back to the (spoofed) senders by sysadmins. This practice just multiplys the problem and puts evin more strain on the email servers.
Other than that, the servers are handling it better than the staff. I had to take my phone off the hook to get some work done investigating the problem on the server.
since I don't allow in attachments that end in .pif .exe .scr .com or .bat (including zipped ones...thank you antigen), there have been precisely zero delivered to anybody's inboxes.
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
My 90MHz pentium is handling it just fine. Via dial-up.
Granted, it's not even turned on, but it *is* handling things just fine.
Eagerly awaiting +5, Informative.
Ron Paul 2012
Same here, although I've had quite a bit less traffic that you:
My personal domain is an "MCI network" (friends and family), and I only have 5 users. They all use Windows, so I'm happy to keep them shielded from recent trouble. It's been quiet for them.
I happened to be talking to one guy who gets mail from me (we see each other infrequently) and offhandedly asked how he was coping with the MyDoom problem. He didn't know what I was talking about. He hadn't been reading the news lately, and it took me a minute before I realized all the virus-laden emails were getting dumped before he ever saw them. I forgot my little procmail recipe was in place.
So, yeah, MyDoom's pretty much been a non-issue.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
"How Well are Your Servers Handling MyDoom?" Pretty well. We're thinking of adding another cluster.
Just kidding, lawyers.
_______
2B1ASK1
Same here. We were filtering this before any AV updates were available. File filtering will save you far more often than updated AV software (which we use also).
Just noticed you used Antigen, like us. Great product and as the parent notes, it will look inside archives as well. Check it out..from www.sybari.com.
3 over the course of the past day. Looks like it's time to update AVG's AV signatures.
The ______ Agenda
Our main virus/spam scanning machines are handling it pretty well. We're seeing some increased processor utilisation, but... This is for a site that serves probably 70,000 users, many of whom are, uh, less than careful with their addresses. On a typical day, we process somewhere around 300,000 messages (depending on how frisky the spammers are feeling).
;) I think "drinking from the firehose" about sums it up. It's got 24000 virus notification sitting in the mail queue waiting to have their little snippits of info entered into the database ATM.
In the first 24 hours we blocked about 66,000 instances of this beast, and were continuing to recieve them at about 3000 - 5000 per hour as of 1700 PST.
Our virus statistics machine wasn't handling things so well, though
I'm a mail/systems administrator at a small/medium sized ISP. This virus is nothing compared to the onslaught of spam we get. >2 million total messages a day and blocking >1.6 million due to spam. Our virus filter is taking them out no problem, and no we aren't bouncing it =)
For MyDoom 3, and its starting to feel like its never going to come out.
Vonal Declosion
"A co-worker was showing me some of the usage stats for a clients exchange server: its averaging 630 users, and 300,000 emails per day, for the last 4 days"
im slightly off topic here, but wow. thats scary. i dont know about anyone else, but i wouldnt feel comfortable with my company's exchange server directly connected to the internet like that. we have a content-filtering smtp relay in our dmz to take the brunt of crap like this. we block email with potentially dangerous attachments and viruses before they even get to our internal network.
Gyrate Dot Org - "Where high-tech meets low-life"
I think you should ask SCO about theirs. :)
-------
Support Indy Music. Buy
So what virus filtering software are you using?
-- "So, what's the deal with Auntie Gerschwitz et all?"
#nmap -P0 -p 25 xx.xx.xx.0/24
....
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
The 1 scanned port on (xx.xx.xx.1) is: closed
The 1 scanned port on (xx.xx.xx.2) is: closed
The 1 scanned port on (xx.xx.xx.255) is: closed
Nmap run completed -- 255 IP addresses (255 hosts up) scanned in 732 seconds
One trick which helped ease the burden is that the majority of the emails are coming in with very specific topics: "hi", "hello", "test", "status" and "server report". Added this line to my postfix spamfilter rules and it eased a LOT of the burden immediately:
If you're an administrator out there reading this, for the love of whatever god you hold dear TURN OFF YOUR BLOODY VIRUS BOUNCE MESSAGES! I've had as many 'replies' to faked From: headers as virus mails. You're making the problem far worse than it otherwise would be!"People will pay big bucks for the luxury of ignorance."
Reminds me of that dell commercial where users had to go through computer boot camp.
I notice a steady flow of anti-microsoft commentary when an outbreak such as this occurs. Remember... it was the user (is luser appropriate here?), and not microsoft that "stuck the needle in their arms."
During times like this - I think back to the amount of times I've ever gotten infected by a virus... none, I've never used AV software and probably never will - I just don't have a need, just like many other slashdotters.
Why is this you ask? Easy, because we know better. All of the hours spent in front of our boxes have allowed us to developed a trained eye... quick to point out a bullshit email subject or attachment.
The common user does not know any better and keeps infecteing themself with the virus of the month. AV software isn't always of help because viruses are created faster than the AV companies can update their definitions.
The solution lies in user training. How can mass user training be accomplished? I think OS's after being installed or used for the first time should offer (or mandate) a presentation on secure computer usage.. what to look out for, and things not to do when on the computer, such as give out credit card info or fall for Nigerian scams.
I'm using Merak Mail Server, a cheaper better engineered alternative to MS Exchange and haven't had a problem yet. Like the others, it's AV learned about MyDoom and has promptly deleted several thousand emails without a single problem.
Now, the mail list I moderate on - that's another thing. From 6pm to 12am I've received roughly 3000 emails - and 5 where legit. MOST of them where those damn Anti-virus "Your email has a virus" bounce messages. I swear they are the work of evil. There needs to be a switch on em to the effect of "Send out virus warnings to sender, unless I receive X viruses in XX minutes." - This would really make my life a helluva lot easier.
Looking for hardware (Currently need: Large Etch-a-Sketch) Have one? See my journal!
I think the problem of lusers clicking on whatever attachment they see needs to be dealt with at the source
This could work:
The sysadmin starts to send random mesages with attachments to staff, with fake email headers. If the luser runs the attached program, the program sends an email to the sysadmin, then informs the user THAT THEY SHOULDN'T RUN UNKNOWN ATTACHMENTS!. The user is reprimanded and sent for 30 minutes of re-education training.
Follow up every few months with more random attachments.
Do it 3 times and you're fired!
Lots of people are talking about how their spam filters are just automagically filtering it.. Mine isn't - spamassassin. I do have Bayesian enabled, and I have received at least 20 or 30 of them.. I've received a LOT LOT LOT more bounce emails from other places though, regarding it.. grrr.
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
I've so far recieved TWO.
:)
But I wonder, what solutions do people use to filter viruses? I use postfix/procmail right now... Adding a virus scan to that wouldn't hurt
I'm running sendmail with Mimedefang calling spamassassin and uvscan. This server sits in front of 4 exchange servers and handles incoming and outgoing mail for about 10,000 users. Spamassassin was marking the messages as spam right off the bat. An updated dat file for uvscan came out around 11PM Monday and my cronjob auto-updated it. From around 11PM Monday to 7AM Tuesday we were averaging around 200 per hour. At about 8AM until now that has jumped to about 500 per hour. For a point of reference, we average about 400 rejected spam messages and 200 tagged-and-sent spam messages per hour. So far there has been no effect on the load of the machine at all. The big virus in September (what was the name of it again...sobig?...) had a much greater effect (although the load on the linux box was still pretty low).
-----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d? s: a-- C++++ UL++++ P++ L+++ E- W++ N o-- K- w--- O- M+ V PS+ P
My servers are handling it without a problem... total, I have recieved 5 e-mails with the bounce notice, one with the virus itself. I get less spam every hour.
http://www.wai-con.org
make that more spam every hour :/
god I gotta stop posting on 20 sites at once...
http://www.wai-con.org
McAfee Antivirus is showing about 5% of our inbound email is infected, though I haven't dug into specifics of which viruses. McAfee SpamKiller is spitting out about another 40% as spam.
Daily email count averages 6-10k
The most annoying bit about MyDoom is that we're getting a bunch of "you sent us an infected email!" messages because of the fake "from" address.
However I now get notification failures and bounces of people whom must have received the virus with a forged sender address (mine).
My servers don't care that you're doomed.
How Well are Your Servers Handling MyDoom?
Very funny, indeed.
Dave Moone
SCO Sytem Administrator
I got one mydooms, looks like it was a bounce from another idiot admin who sends replies to the forged email header instead of just dropping it.
Granted my mail server is just for my wife and I, so it isn't like we get a whole ton of email anyways compared to a business.
Norris/Palin 2012
Fact: We deserve leaders who can kick your ass and field dress your carcass.
We have just installed a new Mirapoint mail system. The frontend message router (MD450) handles anti-virus and anti-spam scanning. We started getting hit with MyDoom at at 11am local time (GMT+10) yesterday. So far over 1.5 days we have blocked about 300,000 MyDoom messages. The load on the new Mirapoint message director is minimal. Our normal message load before this was 60-70,000 emails per day.
If this load had hit our old servers we would have been waiting a week to get any legitimate mail through!
Clara.net's SMTP (not relay) servers have been floored by it, affecting a few of our customers.
One would have thought an ISP that's been around for awhile could deal with such virii outbreaks!
No mention of it on their status page yet (1334 GMT) though.
[root@smtp root]# cat /var/log/maillog | grep -i ?filename= | wc -l
.01% of my average daily volume.
316
reject: body ?filename="hwazlp.pif"; For security reasons we reject attachments of this type. Have a nice day.
Rejecting them before they are even transferred is definitely the best way to handle them. My site hasn't been affected at all. 316 connections is only
Due to the virus we've had:
.scr .pif .bat .ext but one problem is it's now showing up in zip files dont want to turn on scanning for virii in those becuase of the memory hogging that will ensue and it would force me to serialize scanning of inbound emails but then busy days we'd definately queue up on that end.
(780 Email accounts few mailing lists.. Qmail+vpopmail+qmailscanner+clamav)
500Kbps more bandwidth being used by the mailserver.. Avg is 12kbps most times..
Were blocking all normal virii attachment
I'm about 10 sec from enabling a SPF filter http://sfp.pobox.com to reject anything not specifically listed in the spf list from that site and other spf enabled sites.. this would definately weed out many of the virii that are just flying from user pc's.
Yesterday, we made the usual 40k deliveries, but additionally rejected 52k messages, most due to the Mydoom outbreak. Over 29k of those rejections were "user unknown"; 13.6k were based on the strings found in the body of Mydoom messages, and 3k were based on our general policy of rejecting EXE attachments based on the Base-64-encoded MZ header.
All spam rejections (including SPEWS and Spamhaus SBL-XBL, plus content filters) totaled only 11% of total rejections.
Maximum load average was around 2. Our mail system is deliberately overengineered, to provide "utility grade" reliability even under load a lot higher than this worm. (Think "mailbomb".) In fact, given how crappy the electrical service is here, I'd say we do rather better than "utility grade".
here at the office, exchange crash due to the increase load. I don't know the specs of the exchange server, but it is pretty heafty. exchange still blows, but it has gotten much better.
I second the call for re-education of attachment-clicking morons.
Lock them in a room, and chain them to a chair (with hands and arms free) in front of a Windows PC with a specially modified mouse and keyboard. The PC can run nothing but a mail client (let's call it "Outlook").
Send that PC a bunch of e-mails with bad attachments and increasingly-tempting subjects/filenames based on gender. For women: "This is soooo cute!" For men: "Britney Spears hidden cam pix!"
Some of the sender names are people known to the re-educatee, some are ficticious.
For every attachment the re-educatee executes, they receive an electical shock via the keyboard/mouse. The shocks get increasingly stronger. If the re-educatee does not keep their hand on the mouse or keyboard in an attempt to avoid the shock, they get a stronger one via their seat.
The users stay in the room until they are either cured or dead.
Rather pissed off at Windows lusers right about now....
At my university, the email server has been brought to a grinding halt. Some idiotic administrator with access to the email distribution list (that goes to all the students) opened the virus, and so every student on campus got several emails with the virus.
It's taken them over a day to start blocking it. Of course, this is the same IT "Services" that has every single incoming port either ghosted or blocked at an enormous firewall. File sharing is blocked in any direction, and the only outgoing ports open are 80, 21, and a few others.
It's interesting to note that while areas of the campus-wide network were clogged by MSBlaster last year, the engineering department didn't even feel it. In fact, one of the sysadmins said, "We sat back and laughed." The CS and IT guys, on the other hand, were running around like headless chickens because they were totally unprepared.
Help find a cure for cancer. Join the [H]orde
Monday 22
Tuesday 82
Wednesday 79
I know I should get a new address but I've had this one a long time.
This mass mailer definately beats all the other viruses in terms of numbers in my inbox.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
I am the webmaster of a computer privacy / security site. One of our most popular downloads is a utility that corrects Windows connection issues caused by adware/spyware that messes with the Winsock stack, aimed at novice users. Thus, the program's readme (containing contact addresses for our site) is sitting on the machines of millions of click-click-execute-happy newbies, AOLers, clueless managers and PHBs, and so forth.
:-)
The worm forges an email FROM a randomish username at a randomly-selected domain TO a randomish username at a randomly-selected domain, and ours seems pretty high on the list. We had (until yesterday...) a catch-all that directed mail to nonexistant users directly to my mailbox.
My inbox is not a pretty sight right now
Caveat Emptor is not a business model.
Total Emails 1/27/04: 5526 (that's about double our average)
MyDoom infected messages 1/27/04: 1515 (Ouch!)
However performance hasn't degraded much overall, I only notice it because I'm the dork that monitors the damn thing... end users aren't feeling a thing.
Be careful! Bears shouldn't consume large furry dogs.
5 minutes of my time telling my users to watch out, which they knew to do anyway.....
Well, we are covered by Trend which auto updates every hour anyway, so none got through (our workstations are covered with Norton Corp as well). We do about 100K emails a day between two offices and 35 users or so on average (in and out traffic). About 2500 incoming are legitimate, rest is spam/junk.
Our usage has about doubled, and since our exchange 2000 server is a tad older (single 800MHZ PIII, 1GB Ram, 4x36GB RAID) it's feeling it some, especially when it goes to do bulk emails to members or a quarter day softbackup to it's mirror server. I have gotten about 500 a day notices of incoming copies of that virus... went so far as to block zip attachments until it's over (seems to be less of a CPU/performance hit overall compared to active scanning since the attach block kicks first before an email is scanned).