Sobig.F ... So bad

scary email

I've been away on holiday for the last two weeks, and when I got back on Saturday I tried to access my email at work - big, big mistake. I have some procmail filters that catch most of my spam and put them in a seperate folder. This filled up with 2Gb (!) of spam - mostly Sobig.F, then procmail wrote another 2.5Gb of spam into some other files for good measure (filling up the filesystem containing my home directory) and then started to dump everything in my inbox - which also filled up to 2Gb. When I tried to open my inbox, the IMAP server blew a fuse and started dropping 2Gb copies of my inbox on the mailserver, which also filled up - then nobody in my office could use email either. Fortunately it was the weekend, so with the help of a friendly IT support person I managed to unclog my home directory and inbox, leaving me with the mind-numbing task of wading through the 35,000 messages that had ended in my inbox.

After the immediate panic was over I started monitoring the incoming stream of spam. Nearly all of it is Sobig.F or the consequential email bounces caused by it - I'm getting about 1/2Gb of spam (about 6000 messages) a day, which is absolutely ridiculous. Nicholas Clark, a friend of mine, has received over 100,000 copies of Sobig.F since the outbreak started, yet we are told the outbreak is not all that bad!

The direct spams are bad enough, but the bounced emails are the last straw. One of the nasty traits of Sobig.F is that it forges the 'From:' line in the virus-laden emails it spews out. Why do all the people who set up email filtering insist on sending back bounce messages, when 99% of the time the 'From:' address is incorrect? This widespread practice is pointless and only increases the amount of crap clogging up everyone's bandwidth and mailboxes.

Anyway, if anyone else out there in spamland uses procmail, the following recipe will catch Sobig.F:

:0 HB
* ^X-Mailer: Microsoft Outlook Express 6.00.2600.0000
* ^X-MailScanner: Found to be clean
* ^AAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
Tags : , ,
Categories : Tech