How Well are Your Servers Handling MyDoom?

whosyourgeekdaddy asks: "A co-worker was showing me some of the usage stats for a clients exchange server: its averaging 630 users, and 300,000 emails per day, for the last 4 days. This made me want to ask how heavy is the workload for your 'average' Exchange server? Is this typical? MyDoom has upped the usage some, but not a lot. This client is a real estate company, so e-mail is frequently used." Of course, Exchange servers aren't the only ones feeling MyDoom. What kind of statistics have you been seeing from MyDoom, both as a user and as an administrator?

Not a Problem

[Neon+Spiral+Injector]

grep "X-Infected: W32/Mydoom.A@mm" rejectlog* | wc -l
11096

All rejected at SMTP time, not mindlessly bounced after the fact.

My server isn't even feeling it.

Handling it just fine.

[JDWTopGuy]

My 90MHz pentium is handling it just fine. Via dial-up.

Granted, it's not even turned on, but it *is* handling things just fine.

Eagerly awaiting +5, Informative.

Reasonably well, for now

[named]

Our main virus/spam scanning machines are handling it pretty well. We're seeing some increased processor utilisation, but... This is for a site that serves probably 70,000 users, many of whom are, uh, less than careful with their addresses. On a typical day, we process somewhere around 300,000 messages (depending on how frisky the spammers are feeling).

In the first 24 hours we blocked about 66,000 instances of this beast, and were continuing to recieve them at about 3000 - 5000 per hour as of 1700 PST.

Our virus statistics machine wasn't handling things so well, though ;) I think "drinking from the firehose" about sums it up. It's got 24000 virus notification sitting in the mail queue waiting to have their little snippits of info entered into the database ATM.

Sounds similar

[Chemical+Serenity]

Unfortunately I was caught working on another project, and the serious inflow came between 'freshclam' updates... inside that 12 hour spam we ended up with about 40,000 of the things clogging up the works and god only knows how many untold thousands dropped on the front end. After getting the update in and cleaning out the garbage we're getting several thousand an hour, but the server barely notices it.

One trick which helped ease the burden is that the majority of the emails are coming in with very specific topics: "hi", "hello", "test", "status" and "server report". Added this line to my postfix spamfilter rules and it eased a LOT of the burden immediately:

/Subject:.*(hi|hello|test|status|server report)$/ REJECT 550 Your email has the subject of an Worm.SCO.A viral message. Change your
subject and resend.

If you're an administrator out there reading this, for the love of whatever god you hold dear TURN OFF YOUR BLOODY VIRUS BOUNCE MESSAGES! I've had as many 'replies' to faked From: headers as virus mails. You're making the problem far worse than it otherwise would be!

Robust mail system, no problem.

[Frater+219]

Yesterday, we rejected some thousands more emails than we usually process on a weekday. Our mail exchangers -- two Dell PowerEdge 2450s with Debian, Postfix, and SpamAssassin -- usually make between 30k and 45k deliveries each day, and reject between 4500 and 5500 messages as spam.

Yesterday, we made the usual 40k deliveries, but additionally rejected 52k messages, most due to the Mydoom outbreak. Over 29k of those rejections were "user unknown"; 13.6k were based on the strings found in the body of Mydoom messages, and 3k were based on our general policy of rejecting EXE attachments based on the Base-64-encoded MZ header.

All spam rejections (including SPEWS and Spamhaus SBL-XBL, plus content filters) totaled only 11% of total rejections.

Maximum load average was around 2. Our mail system is deliberately overengineered, to provide "utility grade" reliability even under load a lot higher than this worm. (Think "mailbomb".) In fact, given how crappy the electrical service is here, I'd say we do rather better than "utility grade".