We're all getting blasted with the MyDoom/Novarg mass mailer worm right now.  While SpamFilter is designed for just that purpose -- filtering spam -- we're finding that it can also be used to filter SOME messages that are created by mass-mailer worms of this type.  Even if you've got an email virus scanner or filtering application (you really should), there may be a performance benefit to eliminating as much traffic as possible at the gateway, before it reaches these downstream servers.  The following method seems to be providing a performance benefit for us.

Anyone using the "Authorized TO" whitelists filter, or choosing to "tag & deliver" rather than disconnecting or quarantining messages... this doesn't apply to you.  Likewise, anyone running a mail system where the users can pick their own names can stop reading this post now -- this idea won't be of much benefit to you.  But for the rest of us, this might prove useful. 

The MyDoom/Novarg worm attempts to spread itself to users in the customary ways that these worms usually work (address books, P2P file sharing systems, etc.) but also has a "address guess" function that attempts to create emails addresses.  It does so by attaching the following names to whatever domain names it can find in the infected user's address book(s):

adam
alex
alice
amie
an
andrew
anna
bill
bob
brenda
brent
brian
claudia
dan
dave
david
debby
fred
george
helen
jack
james
jane
jerry
jim
jimmy
joe
john
jose
julie
kevin
leo
linda
maria
mary
matt
michael
mike
peter
ray
robert
sam
sandra
serg
smith
stan
steve
ted
tom

Thus, your SpamFilter logs might be showing a lot of traffic to mailto:john@yourdomain.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - john@yourdomain.com , mailto:ted@yourdomain.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - ted@yourdomain.com , mailto:maria@yourdomain.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - maria@yourdomain.com , and other non-existent user names from the list above.  If none of these names are valid accounts on your mail system, you have the option of adding these names to your "TO Emails" blacklist filter.  You can specify the domain when listing them in the TO Emails blacklist... examples:

mailto:john@yourdomain.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - john@yourdomain.com
mailto:ted@yourdomain.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - ted@yourdomain.com
mailto:maria@yourdomain.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - maria@yourdomain.com

-- or if you have multiple domains, use a wildcard to cover all of them --

mailto:john@*" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - john@*
mailto:ted@*" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - ted@*
mailto:maria@*" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - maria@*

This will effectively stop SpamFilter from forwarding MyDoom/Novarg-generated messages addressed to these bogus users... your destination server.  This procedure is most beneficial if the "Do not quarantine rejected emails from this blacklist" is checked (enabled) on the "TO Emails" blacklist filter.  But even if you are quarantining these messages, there might be a performance benefit to stopping them at the quarantine and not continuing to pass these infected messages downstream to your virus scanner, mail server, etc.

To reiterate... be careful -- do NOT list any of the above names that correspond to valid users on your email domains!

Email system setups vary dramatically, and this will not work for everyone.  It's just an idea for using a tool at your disposal to tackle a problem we're all facing.  This will NOT stop the MyDoom/Novarg virus altogether -- it's not intended to do that -- it just uses SpamFilter to cut down on some of the junk virus traffic at the front-end gateway, which may improve the overall performance of the downstream mail system.

Does Spamfilter ISP 2.0 beta block attachments?  My server and users are just getting hammered and I need to get something put in place, we are talking thousands of virus messages every hour!!

Groupwise doesn't like it that much  :(

put the following in your blacklist keywords file and it should take care of most of the latest virus's

Test =)
Here is my photo, that you asked for yesterday.
Important information for you. Read it immediately !
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
Perfect bulk email list
My Webshots Photos

I had to discontinue our evaluation of the 2.0 beta a few weeks ago, but as of the last beta I evaluated, no capability for attachment filtering had yet been included.  Roberto did mention that they would consider adding it into a future release -- see this thread: http://www.logsat.com/spamfilter/forums/showmessage.asp?messageID=2340" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://www.logsat.com/spamfilter/forums/showmessage.asp?messageID=2340" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - http://www.logsat.com/spamfilter/forums/showmessage.asp?messageID=2340

We were being hit hard by this virus as well.  Our SpamFilter is now rejecting several of the invalid messages created by the "address guess" capability of MyDoom/Novarg (my earlier post).  You can also utilize the keyword filter to trap the body text content generated by this worm, as outlined in Kevin Pare's post.  This will block a few more of the messages... it may also block messages from anti-virus vendors describing the characteristics of this virus, but that's a small price to pay.

Roberto had even mentioned running a virus scanner program on the SpamFilter machine itself in earlier posts.  We are doing this, but the results have been mixed, and I wouldn't feel comfortable relying on this as my ONLY defense against viruses.

Unfortunately, even after doing all of this, some messages will still get through.  Hopefully, taking these steps will at least cut down on some of the volume and make Groupwise (and your users) a little happier.  The bottom line is that SpamFilter can reduce some of the load, but until attachment type filtering is worked into SpamFilter, it will remain the job of downstream servers to handle worms and viruses.

Thats what I was afraid of :(

I wish they had attachment filtering, not all email servers (Groupwise 5.5.5 included) have attachment filtering so I must rely on the Spamfilter or some other product to block this junk before it reaches the desktops in the corporation!

Logsat PLEASE!!

We have just released a new beta that introduces attachment filtering.

Roberto F.
LogSat Software

Jim,

We have just released a new beta that introduces attachment filtering.

Roberto F.
LogSat Software

Brian,

We have just released a new beta that introduces attachment filtering.

Roberto F.
LogSat Software