LogSat Software

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   We're all getting blasted with the MyDoom/Novarg mass mailer worm right now.  While SpamFilter is designed for just that purpose -- filtering spam -- we're finding that it can also be used to filter SOME messages that are created by mass-mailer worms of this type.  Even if you've got an email virus scanner or filtering application (you really should), there may be a performance benefit to eliminating as much traffic as possible at the gateway, before it reaches these downstream servers.  The following method seems to be providing a performance benefit for us.
Anyone using the "Authorized TO" whitelists filter, or choosing to "tag & deliver" rather than disconnecting or quarantining messages... this doesn't apply to you.  Likewise, anyone running a mail system where the users can pick their own names can stop reading this post now -- this idea won't be of much benefit to you.  But for the rest of us, this might prove useful. 
The MyDoom/Novarg worm attempts to spread itself to users in the customary ways that these worms usually work (address books, P2P file sharing systems, etc.) but also has a "address guess" function that attempts to create emails addresses.  It does so by attaching the following names to whatever domain names it can find in the infected user's address book(s):
adam
alex
alice
amie
an
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom

Thus, your SpamFilter logs might be showing a lot of traffic to john@yourdomain.com, ted@yourdomain.com, maria@yourdomain.com, and other non-existent user names from the list above.  If none of these names are valid accounts on your mail system, you have the option of adding these names to your "TO Emails" blacklist filter.  You can specify the domain when listing them in the TO Emails blacklist... examples:
john@yourdomain.com
ted@yourdomain.com
maria@yourdomain.com
-- or if you have multiple domains, use a wildcard to cover all of them -- 
john@*
ted@*
maria@*
This will effectively stop SpamFilter from forwarding MyDoom/Novarg-generated messages addressed to these bogus users... your destination server.  This procedure is most beneficial if the "Do not quarantine rejected emails from this blacklist" is checked (enabled) on the "TO Emails" blacklist filter.  But even if you are quarantining these messages, there might be a performance benefit to stopping them at the quarantine and not continuing to pass these infected messages downstream to your virus scanner, mail server, etc.
To reiterate... be careful -- do NOT list any of the above names that correspond to valid users on your email domains!
Email system setups vary dramatically, and this will not work for everyone.  It's just an idea for using a tool at your disposal to tackle a problem we're all facing.  This will NOT stop the MyDoom/Novarg virus altogether -- it's not intended to do that -- it just uses SpamFilter to cut down on some of the junk virus traffic at the front-end gateway, which may improve the overall performance of the downstream mail system.

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
JimMeredith Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote JimMeredith Thanks(0) Quote Reply Topic: Using SF to help block MyDoom/Novarg virus Posted: 27 January 2004 at 2:38am
	We're all getting blasted with the MyDoom/Novarg mass mailer worm right now. While SpamFilter is designed for just that purpose -- filtering spam -- we're finding that it can also be used to filter SOME messages that are created by mass-mailer worms of this type. Even if you've got an email virus scanner or filtering application (you really should), there may be a performance benefit to eliminating as much traffic as possible at the gateway, before it reaches these downstream servers. The following method seems to be providing a performance benefit for us. Anyone using the "Authorized TO" whitelists filter, or choosing to "tag & deliver" rather than disconnecting or quarantining messages... this doesn't apply to you. Likewise, anyone running a mail system where the users can pick their own names can stop reading this post now -- this idea won't be of much benefit to you. But for the rest of us, this might prove useful. The MyDoom/Novarg worm attempts to spread itself to users in the customary ways that these worms usually work (address books, P2P file sharing systems, etc.) but also has a "address guess" function that attempts to create emails addresses. It does so by attaching the following names to whatever domain names it can find in the infected user's address book(s): adam alex alice amie an andrew anna bill bob brenda brent brian claudia dan dave david debby fred george helen jack james jane jerry jim jimmy joe john jose julie kevin leo linda maria mary matt michael mike peter ray robert sam sandra serg smith stan steve ted tom Thus, your SpamFilter logs might be showing a lot of traffic to john@yourdomain.com, ted@yourdomain.com, maria@yourdomain.com, and other non-existent user names from the list above. If none of these names are valid accounts on your mail system, you have the option of adding these names to your "TO Emails" blacklist filter. You can specify the domain when listing them in the TO Emails blacklist... examples: john@yourdomain.com ted@yourdomain.com maria@yourdomain.com -- or if you have multiple domains, use a wildcard to cover all of them -- john@* ted@* maria@* This will effectively stop SpamFilter from forwarding MyDoom/Novarg-generated messages addressed to these bogus users... your destination server. This procedure is most beneficial if the "Do not quarantine rejected emails from this blacklist" is checked (enabled) on the "TO Emails" blacklist filter. But even if you are quarantining these messages, there might be a performance benefit to stopping them at the quarantine and not continuing to pass these infected messages downstream to your virus scanner, mail server, etc. To reiterate... be careful -- do NOT list any of the above names that correspond to valid users on your email domains! Email system setups vary dramatically, and this will not work for everyone. It's just an idea for using a tool at your disposal to tackle a problem we're all facing. This will NOT stop the MyDoom/Novarg virus altogether -- it's not intended to do that -- it just uses SpamFilter to cut down on some of the junk virus traffic at the front-end gateway, which may improve the overall performance of the downstream mail system.

Brian Lewis Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote Brian Lewis Thanks(0) Quote Reply Posted: 27 January 2004 at 4:13pm
	Does Spamfilter ISP 2.0 beta block attachments? My server and users are just getting hammered and I need to get something put in place, we are talking thousands of virus messages every hour!! Groupwise doesn't like it that much :(

kspare Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 26 January 2005 Location: Canada Status: Offline Points: 334	Post Options Post Reply Quote kspare Report Post Thanks(0) Quote Reply Posted: 27 January 2004 at 4:43pm
	put the following in your blacklist keywords file and it should take care of most of the latest virus's Test =) Here is my photo, that you asked for yesterday. Important information for you. Read it immediately ! The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Perfect bulk email list My Webshots Photos

JimMeredith Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote JimMeredith Thanks(0) Quote Reply Posted: 27 January 2004 at 5:09pm
	I had to discontinue our evaluation of the 2.0 beta a few weeks ago, but as of the last beta I evaluated, no capability for attachment filtering had yet been included. Roberto did mention that they would consider adding it into a future release -- see this thread: http://www.logsat.com/spamfilter/forums/showmessage.asp?messageID=2340 We were being hit hard by this virus as well. Our SpamFilter is now rejecting several of the invalid messages created by the "address guess" capability of MyDoom/Novarg (my earlier post). You can also utilize the keyword filter to trap the body text content generated by this worm, as outlined in Kevin Pare's post. This will block a few more of the messages... it may also block messages from anti-virus vendors describing the characteristics of this virus, but that's a small price to pay. Roberto had even mentioned running a virus scanner program on the SpamFilter machine itself in earlier posts. We are doing this, but the results have been mixed, and I wouldn't feel comfortable relying on this as my ONLY defense against viruses. Unfortunately, even after doing all of this, some messages will still get through. Hopefully, taking these steps will at least cut down on some of the volume and make Groupwise (and your users) a little happier. The bottom line is that SpamFilter can reduce some of the load, but until attachment type filtering is worked into SpamFilter, it will remain the job of downstream servers to handle worms and viruses.

Brian Lewis Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote Brian Lewis Thanks(0) Quote Reply Posted: 27 January 2004 at 6:26pm
	Thats what I was afraid of :( I wish they had attachment filtering, not all email servers (Groupwise 5.5.5 included) have attachment filtering so I must rely on the Spamfilter or some other product to block this junk before it reaches the desktops in the corporation! Logsat PLEASE!!

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 27 January 2004 at 10:45pm
	We have just released a new beta that introduces attachment filtering. Roberto F. LogSat Software

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 27 January 2004 at 10:46pm
	Jim, We have just released a new beta that introduces attachment filtering. Roberto F. LogSat Software

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 27 January 2004 at 10:46pm
	Brian, We have just released a new beta that introduces attachment filtering. Roberto F. LogSat Software

kspare Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 26 January 2005 Location: Canada Status: Offline Points: 334	Post Options Post Reply Quote kspare Report Post Thanks(0) Quote Reply Posted: 29 January 2004 at 9:05am
	Does anyone have a reliable list of attachments to block the mydoom?

LogSat Software

Site Navigation[Skip]

Spam Filter ISP Support Forum

Using SF to help block MyDoom/Novarg virus