Educause Security Discussion mailing list archives

Re: Sobig Traffic

From: "F.M. Taylor" <ftaylor1 () MYMAIL INDSTATE EDU>
Date: Mon, 8 Sep 2003 12:31:24 -0500

We are using MimeDefang with SpamAssassin and virus scan at our border mail
gateway, before we pass it internally.
  This is working well for us, we strip out executable attachments, scan what's
left for virii, and tag the remaining based on their "spam score".
  While this did cause some FUD when we initially implemented it, this last
round of virii and worms would have decimated our network had we not already put
this in place.
  This had the added benefit of not clogging mail server with the "you sent me
a virus" messages, as virii infected messages are re-directed to the bit bucket.
   For the most part e-mail borne virii are almost completely a thing of the
past here.  There are of course exceptions, as I can't catch everyone, or
implement fully draconian rules, but I try ;)

As a side note I do have to run 5 v100 sun servers to handle the mail cleaning
load ;) We process between 30K-100K messages per day.


Barros, Jacob wrote:

Our exchange server is still getting hit with email messages containing
the Sobig.f virus. The viruses is being deleted but we're losing system
resources in the process.  Do any of you know if there is a way that I
can filter/block those messages before it hits the exchange server? Can
it even be done or should we just ride out the storm.  Am I on the wrong
track in thinking that this bug is on the outside and in fact may be
resident on one of our internal machines?

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.


--
Mike Taylor. GSEC/GCFW 'Non Impediti Ratione Cogitationis'
Coordinator of Systems Administration and Network Security
Indiana State University.               Rankin Hall Rm 052
210 N 7th St.                             Terre Haute, IN.
Voice: 812-237-8843

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Sobig Traffic Barros, Jacob (Sep 08)
- <Possible follow-ups>
- Re: Sobig Traffic Bruhn, Mark S. (Sep 08)
- Re: Sobig Traffic Greg Francis (Sep 08)
- Re: Sobig Traffic F.M. Taylor (Sep 08)
- Re: Sobig Traffic Jamie Aiello (Sep 08)
- Re: Sobig Traffic Greg Graeff (Sep 09)
- Re: Sobig Traffic Scott Bradner (Sep 09)
- Re: Sobig Traffic Bruhn, Mark S. (Sep 09)
- Re: Sobig Traffic Scott Bradner (Sep 09)
- Re: Sobig Traffic Hahn, Jacob (Sep 09)