**** just woke up and was praying it would have abated but no such luck, just as bad if not worse than yesterday.

MInd you I had a great dream about the many different things that could be done to people that write and distribute these viruses! It was sick!

Anything that does not remotely look like a legit email is being deleted. ****

ADD IN - and in case nobody has noted there seems to be some MS Critical updates available.

<<Anything that does not remotely look like a legit email is being deleted>>

This is what most of us have to do, but I almost deleted an order for advertising, an inquiry from a journaler and someone writing to tell me about my url in their newsletter.
subjects:
leader boards
bad link
newsletter mention

I also used to delete (no subject) emails, but even that is risky. Sometimes I spend more time on the subject than the email in the hopes that it won't be deleted before it's read.

:)
Kelly

we are getting hammered with 7000 emails today alone. our web admin is writing a program that gathers the IP addresses that the emails are comming from (so far over 1000) and blocks them at our firewall.

Just a suggestion. You might want to reconsider the decision to block IP addresses at the firewall level because of this virus. Since most IP addresses are dynamic, instead of static, you might just be wasting your time and blocking potential customers. If your server isn't for profit, then that might not be a big issue.

P.S. In addition to all the ISP, you've got a virus messages, we have now started to get hundreds of "Out of the office" messages, too.

What do you all recommend - is it wise to send out newsletters at the moment, we have a popular daily newsletter but am concerned people may be getting annoyed about the amount of rubbish they are receiving and would prefer it if I did not send it out for a few days? I am also concerned about being incorrectly added to a spam list when people have increased there spam and blocking tools. What do you think?

is it wise to send out newsletters at the moment

Probably not.

The one good thing that I have noticed today is NO SPAM. Seems like all the spammers decided to take a holiday until this dies down. Might be the one time that there can be a lesson learned from those folks.

Latest on this new virus:

Sobig Virus Spread is Fastest Ever [news.yahoo.com]

"People throw up their hands," said Andy Ellis, chief security architect at Akamai Technologies Inc. "There's only so many things people can focus on at one time."

Amen, it has been like a continual Mexican Wave in the office here!

Please excuse me if my question is ignant...
Am i to understand that becuase I have "cached" pages on the internet with my email address that i would not do any good to remove my mail address from my website site?

I think this virus scans an infected users Internet Explorer cache looking for email addresses to send to and to spoof as the return address. So, if an infected user has visited your web site and still has a copy of your web page in their cache and that page has your email address on it, then your address will probably be used to continue the virus chain. If I'm wrong, please someone correct me.

thanks mark, this is what ww is all about to me, people helping people, or is that the united way?
thanks again

thanks mark, this is what ww is all about to me, people helping people, or is that the united way?

I think both. You're welcome. We have been hit really hard by this one. I can only image what is happening to websites that have hundreds of thousands of visitors per day and they have their email link listed on their main page. This must be terrible for them.

have any of the webmasters here with their own server figured out a procmail recipe for blocking the sobig.f worm at the server level and sending it to dev/null?

Buried in the options on NAV is an option to "Try to delete then quarantine silently." I believe it is under "Options >> Email".

Thanks for this! Before all my email stopped downloading if wasn't around to click the finish button.

In my version of NAV, I just right clicked on the icon in the task bar, clicked Configure Norton > then in the left column of the window that popped up I click Email > then changed the setting to Repair, then quietly quarantine if unsuccessful.

Now they just get deleted and sent to the trash.

I'd still like to find a way to filter them at the server level like I have with the sircam virus.

[edited by: Rodney at 7:19 am (utc) on Aug. 21, 2003]

you'd think the guy who wrote it would be getting paid better if he found a better use for his time, eh?

more interesting though:?

- could a worm fight a worm? why not hack the worm to have it disinfect computers it finds.

- software distribution -- who needs kazaa when you can blast to everyone. :)

I just think this shows all the big gaping holes in SMTP and the way this 20+ year old protocol work. We need services to verify and authenticate senders before messages are allowed to pass through. In many cases, the cost is huge because people are paying for their bandwidth and might not realize it is being used...

Woke up this morning with over 2,000 emails...I thought my products have suddenly become so popular ;)

What is really annoying aside from the virus emails are the autoresponders or those anti-virus notifications(your email contain blah blah blah). People should just turn off autoresponders or notifications since it is using the 'Reply To' part of the email which we all know are easily faked.

Does anyone know the difference in NAV between quarantine silently and delete silently. Which is better to use and why?

No infection, but I'm getting numerous hits on ports 1, 23, 53, 137, 139, 443 and 554. A good number of them are coming from "source port 666."

I've noticed at least one machine on QWEST, obviously with a lotta bandwidth, is infected.

SoBig virus emails still going strong with me, at Aug 21 am EST, about 700 - 1000 emails per day last few days. I guess, until Microsoft wakes up and fixes its problems we will all have to bear this. And it's interesting, until I just logged in to Webmaster World, I have not heard anything about Microsoft acknowledging it has a problem or trying to fix it. And not one word from McAfee which I use as a firewall, and virus scanner, warning about this huge attack.

And not one word from my ISP -- which must be aware of the attack. Nothing, nothing from the "industry" warning about this attack and this virus.

They must really be stupid, or overwhelmed. Or just don't care. But I suspect they will have to care at some point.

As to webguybri's comment: <we are getting hammered with 7000 emails today alone. our web admin is writing a program that gathers the IP addresses that the emails are comming from (so far over 1000) and blocks them at our firewall.>

The problem with that is the virus steals email addresses, and while you might be blocking unwanted emails now, you have just blocked 1000 true email addresses that might at some point want to email you.........in the future. You may even be blocking former customers' email addresses...

Am I wrong with that thought?

I am also hit hard on one of my popular sites, like 2-3 viruses every minute! Deleted thousands of those... I just don't understand something, other viruses are also sending themselves to email addresses found in Temporarily Internet Files, I know that because I was always getting viruses from my visitors (i.e. not from their Address Book but from my webpage), so how this one is different? And to my understanding, folks have to actually click on attachment to execute it, not like other viruses that were executed automatically in unpatched Outlook Express. I cannot believe it, so many people have actually OPENED that stupid virus?! Why, what's so special about it, the email subject and the attachment's name are nothing attractive...

And my webhost doesn't even allow me to delete this email address or to set some quota. When I try to do so, the viruses don't return back to sender, or to outer space, or to hell, but accumulate in some spool/mqueue folder on my account, counting towards my webspace, and I cannot even delete them from there (550 permission denied)!
Nightmare...

Hi Guys....part of the problem is I just spoke with my hosting company, who is doing NOTHING to stop this thing. Since all of these have the same 6 or 7 subject lines, it should be an easy task for people running the mail servers where we have our sites hosted to set up 6 or 7 simple filters and block this crap.

Am I missing something here....

Scan your Systems again!

Yesterday I scanned and I was clean. Suddenly I had a wave of attacks from the virus and Norton was struggling to cope.

In my 2nd scan of the day one virus managed to kreep in which was the screen saver version.

Norton deleted the virus found.

Since then I have not had a single attack, although my Firewall is working damn hard.

After my 3rd scan I am still clean and no more attacks so far, but I am not too over confident yet far too early to judge.

One thing is my hosting company has just lunched last night a new program to block certain emails with file attachments ending in whatever file extension you request to block like .pif which seems to be the favorite in this virus.

Hosting companies should be able to do more for you, I mean it must be in their interest also to prevent these crazy attacks.

re: hosting companies: ...it must be in their best interest..

agreed!

When every customer they have is getting bombed with 2000 of these a day, with just a few subjects and attachments which are all the same size (around 100k), it should be easy for them to set up a few filters and delete them from the mailserver BEFORE we ever see them, and are forced to download and deal with them.

In this situation, their fear of accidentally deleting a non-spam email by accident is idiotic.

If I were running a mail server for hundreds of clients, I believe I'd risk one false positive to delete 100,000 infected emails!

How they have done is that you insert a file extension you don't want to receive it then stores it in a folder in your site directory.

Once stored the program email's you a notification. You can delete or add as many file extensions as you like.

It looks like they had planned this for sometime and not just a direct result of this new wave of attacks.

Any hosting companies that do not offer this may have only just started to think about creating such a service.

I would recommend everyone to put pressure on their hosting to come up with such a program. Where by you are in control and the hosting company will not get the blame for filtering our good emails.

By the way after my many scans and making a point that I have no longer received any more viruses, another one just said hello to me, but was stopped by Norton. Without Norton or anyother virus checker we would all be in a big mess (or in a bigger mess then we already are in).

I'm not worried about getting infected....I'm as much a firm believer in 'safe email' as I am a believer in 'safe sex'

However, I've never had 100 women an hour throwing themselves at me, so maybe that's not a good comparison!

David beckam said that until he went to asia :)

Anyway...

If any of you have web based email activated on your web site server I would suggest to move over to that for the next few days until it passes away.

Or access your web mail in the morning delete the unwanted ones first then download the emails you want.

i think alot of people are forgetting that this virus has it's own smtp engine.

My company, and our clients have been pummelled by this over the last 72 hrs.

What I would like to say, as a completely independent web marketing and design company, is how well the ISP has handled this which hosts the vast majority of our clients sites.

Not only have they blocked every single one of these emails at their server/SMTP end they alterted us to the problem.

We, in turn, have been able to reassure (and prempt) our clients and this has been a key factor in preventing the enevitable 'finger of blame' being pointed at the web site and us by implication by niave clients who don't understand how this works.

As of 11.30AM GMT on Aug 21st, we haven't had a single email. Hopefully, this means it's on the wane.

Thats great!

Now I get SPAM mail saying

Protect yourself from the "SoBig" Worm now

buy 'NORTON SYSTEM WORKS 2003' for only $39.95

Talk about trying to cash in on a crises :(

Disgusting!

>>I'm not worried about getting infected....I'm as much a firm believer in 'safe email' as I am a believer in 'safe sex'

However, I've never had 100 women an hour throwing themselves at me, so maybe that's not a good comparison! >>

LOL Rise2it-- that's the funniest thing I've heard in this whole mess!

I haven't launched my site yet, so I've been spared this whole thing, but I've tried and tried to convince the boss to let me obfuscate the email addresses and he won't even consider it. So, I'll be in the same boat with all of you soon. I tried explaining that they'd still work but he says he doesn't want me wasting the time. I'm actually considering doing it on my own time, just to spare us all the hassle of all the spam we get. Ugh...
Anyhow, good luck to y'all... Virus makers should be given cruel and unusual punishment.

tried and tried to convince the boss to let me obfuscate the email addresses and he won't even consider it

Bosses and clients, what would we do without them.

Related situation with one client: I munged the e-mail href with ISO encoding and used "this.person at thisdomain.com" as the link text. Their comments? "It looks stupid. Do it the way everybody else does, the way it's supposed to look."

Well, needless to say that all the explanations fell on deaf ears -- even the fact that these folks have never received a piece of spam through these e-mail addies.

Arrgh! So then it's "this.person@thisdomain.com" as a gif, spend time matching the link text color, throw in another gif and a js rollover script to match the hover behaviour, tweak colors again. Looks good.

Their comments? "Why can't we highlight and copy the e-mail address to paste it into an e-mail?" Tried to explain that "You just have to click on the link. You know, where the tool tip says 'Click to send e-mail to..."

Still going round and roung with them. Saving grace so far is that they have received no sobig e-mails. Will it convince them?