Greg Hewgill (ghewgill) wrote,
Greg Hewgill
ghewgill

sobig.f

Well it looks like the sobig.f email worm has successfully shut itself down on schedule (it was designed to quit propagating itself on Sep 10). It was active for approximately 21 days. During that time, I received about 80,000 individual messages sent by sobig-infected computers, at approximately 100kB each. That is a total volume of about 8 gigabytes. That is a sustained average bandwidth of about 35 kbits/sec.

I have some graphs that break down the various kinds of spam I receive. Everything else has been dwarfed by sobig for the last three weeks.

A few days after it started, I added some logging to my incoming mail, to keep track of the source of the messages. This logging covers the latest 50,000 or so messages. The top prize goes to 66.0.87.51 which sent me 2,521 individual messages. There were only 2008 different ip addresses which sent me sobig messages. The top 45 ip addresses were responsible for half of the traffic.

The most annoying part of the sobig worm is not the bandwidth usage, though. The worst part is dealing with the hundreds of messages generated by automated "virus" checker email gateways. Several times a day I would manually delete dozens of messages generated by mail gateways that identified a sobig.f message and assumed that my computer was infected because my name was in the From header (sobig.f sends messages with random To and From headers pulled from the Internet Explorer cache of html pages, among other places). I didn't explicitly count these messages, but I estimate approximately 2,000 arrived.

I believe I only received one human response to a sobig message:

From: K Fick <xxxxx@yahoo.com>
Subject: DO NOT SEND ANYMORE MAIL TO THIS ADDRESS AND TAKE ME OFF MAILING LIST!!!Re: Approved


I wonder how many of these responses K Fick wrote before getting tired of it.

It would be really nice if the anti-virus email gateways would avoid sending alarming messages to the purported sender of sobig-generated email. This practice probably exacerbated the problem because lots of people who were not infected with sobig.f (or for technical reasons could not be) received authoritative-sounding messages saying they were. Of course, the anti-virus companies probably love doing this because it drums up interest in their product. But it's really annoying to receive the same anti-virus bounce message dozens of times a day. Apparently sobig isn't very creative and often sends the same messages over and over and over.

Anyway, it's good to have some respite from the flood of junk the sobig worm has generated. I'm sure it's only temporary though; sobig.a through sobig.e were much less effective. Sobig.f raised the bar. I'm expecting sobig.g to be even worse.
Tags: spam
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 7 comments