Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Well are Your Servers Handling MyDoom?

Posted by Cliff on from the preventing-the-meltdown dept.

whosyourgeekdaddy asks: "A co-worker was showing me some of the usage stats for a clients exchange server: its averaging 630 users, and 300,000 emails per day, for the last 4 days. This made me want to ask how heavy is the workload for your 'average' Exchange server? Is this typical? MyDoom has upped the usage some, but not a lot. This client is a real estate company, so e-mail is frequently used." Of course, Exchange servers aren't the only ones feeling MyDoom. What kind of statistics have you been seeing from MyDoom, both as a user and as an administrator?

14 of 81 comments (clear)

  1. Not a Problem by Neon+Spiral+Injector · · Score: 3, Informative

    grep "X-Infected: W32/Mydoom.A@mm" rejectlog* | wc -l
    11096

    All rejected at SMTP time, not mindlessly bounced after the fact.

    My server isn't even feeling it.

  2. 500 mails a day? by Mr.+Darl+McBride · · Score: 2, Insightful
    If you're getting 500 emails a day, either the entirity of your staff is subscribed to lkml and debian-user, or you've got a staff that hasn't been trained not to plug their damned mail address into every last fucking form field in sight.

    Seriously, half an hour of internet usage training 2-3 times a year can halve your bandwidth requirements.

    (p.s. -- Don't mod me up. I'll only use the karma to troll at +2 later.)

  3. For the record by jeffasselin · · Score: 4, Insightful

    We have about 50 users, we got around 200 viruses in the first 18 hours.

    --
    If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
  4. Thanks guys. by reaper20 · · Score: 3, Funny

    Spamassassin, postfix, and procmail developers - I sit here at home with a beer whilst my Exchange colleagues want to kill themselves right about now.

    Thanks.

    1. Re:Thanks guys. by Neon+Spiral+Injector · · Score: 2, Interesting

      Hear hear!

      Same goes to the Exim, Exiscan, and Clamav authors.

      I woke this morning with an e-mail saying the Clamav signature DB was updated, then had a look at my Exim reject logs to see if it was rejecting Mydoom. Sure was, at that time about 2000 of them since midnight.

  5. User... by Jack+Comics · · Score: 2, Interesting
    I won the recent Netscape auction for the Jack at netscape dot com e-mail address and a "free" year's worth of dial-up access.

    Once I logged into the e-mail account, I noticed it was a little spammy, but that was to be expected. AOL/Netscape was generous though and gave me a one hundred megabyte POP3 e-mail account.

    However, yesterday evening, I noticed an influx of about *2,000* e-mails in about a four hour period. All were related to MyDoom, either with the virus attached or bounces due to forged "from" addresses. Since then, I've been getting an average of 830 e-mails per *hour*. My Netscape e-mail account has reached the 100 megabyte e-mail quota twice so far, with over 13,000 e-mails each time, and after I clean it out, it starts to fill back up again. There's just no end in sight. The e-mail account is completely useless to me now. I should have known bidding on that auction was a bad idea. :( In the meantime, I've had to make the e-mail account white listed, meaning it now only accepts e-mail from known e-mail addresses, until I can figure out an equitable solution.

    --
    "We are all in the gutter, but some of us are looking at the stars." - Oscar Wilde
  6. well... by drakaan · · Score: 4, Insightful

    since I don't allow in attachments that end in .pif .exe .scr .com or .bat (including zipped ones...thank you antigen), there have been precisely zero delivered to anybody's inboxes.

    --
    "Murphy was an optimist" - O'Toole's commentary on Murphy's Law
  7. Report... by eyeball · · Score: 4, Funny

    "How Well are Your Servers Handling MyDoom?" Pretty well. We're thinking of adding another cluster.

    Just kidding, lawyers.

    --

    _______
    2B1ASK1
  8. Reasonably well, for now by named · · Score: 2, Informative

    Our main virus/spam scanning machines are handling it pretty well. We're seeing some increased processor utilisation, but... This is for a site that serves probably 70,000 users, many of whom are, uh, less than careful with their addresses. On a typical day, we process somewhere around 300,000 messages (depending on how frisky the spammers are feeling).

    In the first 24 hours we blocked about 66,000 instances of this beast, and were continuing to recieve them at about 3000 - 5000 per hour as of 1700 PST.

    Our virus statistics machine wasn't handling things so well, though ;) I think "drinking from the firehose" about sums it up. It's got 24000 virus notification sitting in the mail queue waiting to have their little snippits of info entered into the database ATM.

  9. Nothing compared to spam by hords · · Score: 3, Interesting

    I'm a mail/systems administrator at a small/medium sized ISP. This virus is nothing compared to the onslaught of spam we get. >2 million total messages a day and blocking >1.6 million due to spam. Our virus filter is taking them out no problem, and no we aren't bouncing it =)

  10. im still waiting by CptChipJew · · Score: 4, Funny

    For MyDoom 3, and its starting to feel like its never going to come out.

    --
    Vonal Declosion
  11. Sounds similar by Chemical+Serenity · · Score: 4, Informative
    Unfortunately I was caught working on another project, and the serious inflow came between 'freshclam' updates... inside that 12 hour spam we ended up with about 40,000 of the things clogging up the works and god only knows how many untold thousands dropped on the front end. After getting the update in and cleaning out the garbage we're getting several thousand an hour, but the server barely notices it.

    One trick which helped ease the burden is that the majority of the emails are coming in with very specific topics: "hi", "hello", "test", "status" and "server report". Added this line to my postfix spamfilter rules and it eased a LOT of the burden immediately:

    /Subject:.*(hi|hello|test|status|server report)$/ REJECT 550 Your email has the subject of an Worm.SCO.A viral message. Change your
    subject and resend.
    If you're an administrator out there reading this, for the love of whatever god you hold dear TURN OFF YOUR BLOODY VIRUS BOUNCE MESSAGES! I've had as many 'replies' to faked From: headers as virus mails. You're making the problem far worse than it otherwise would be!
    --
    "People will pay big bucks for the luxury of ignorance."
  12. The user, experience and self-infection by rayamor · · Score: 2, Insightful

    Reminds me of that dell commercial where users had to go through computer boot camp.

    I notice a steady flow of anti-microsoft commentary when an outbreak such as this occurs. Remember... it was the user (is luser appropriate here?), and not microsoft that "stuck the needle in their arms."

    During times like this - I think back to the amount of times I've ever gotten infected by a virus... none, I've never used AV software and probably never will - I just don't have a need, just like many other slashdotters.

    Why is this you ask? Easy, because we know better. All of the hours spent in front of our boxes have allowed us to developed a trained eye... quick to point out a bullshit email subject or attachment.

    The common user does not know any better and keeps infecteing themself with the virus of the month. AV software isn't always of help because viruses are created faster than the AV companies can update their definitions.

    The solution lies in user training. How can mass user training be accomplished? I think OS's after being installed or used for the first time should offer (or mandate) a presentation on secure computer usage.. what to look out for, and things not to do when on the computer, such as give out credit card info or fall for Nigerian scams.

  13. Robust mail system, no problem. by Frater+219 · · Score: 2, Informative
    Yesterday, we rejected some thousands more emails than we usually process on a weekday. Our mail exchangers -- two Dell PowerEdge 2450s with Debian, Postfix, and SpamAssassin -- usually make between 30k and 45k deliveries each day, and reject between 4500 and 5500 messages as spam.

    Yesterday, we made the usual 40k deliveries, but additionally rejected 52k messages, most due to the Mydoom outbreak. Over 29k of those rejections were "user unknown"; 13.6k were based on the strings found in the body of Mydoom messages, and 3k were based on our general policy of rejecting EXE attachments based on the Base-64-encoded MZ header.

    All spam rejections (including SPEWS and Spamhaus SBL-XBL, plus content filters) totaled only 11% of total rejections.

    Maximum load average was around 2. Our mail system is deliberately overengineered, to provide "utility grade" reliability even under load a lot higher than this worm. (Think "mailbomb".) In fact, given how crappy the electrical service is here, I'd say we do rather better than "utility grade".