Fog Creek Software
Discussion Board

Why didn't SOBIG affect me?

My company's mail server handles around 1,000 e-mails a day, plus another 2,000 that are blocked by DNS blacklists.

So why haven't I seen a single SOBIG or MSBLASTER e-mail?

Our mail server strips all executable attachments. But we still should've received hundreds of "neutered" SOBIG and MSBLASTER e-mails, right? I've been watching the log and noticed nothing out of the ordinary. Just the occasional KLEZ virus.

And since SOBIG forges headers, we should've received bounces from people who (mistakenly) thought we sent the virus.

All our machines run antivirus software. No viruses have been detected. Am I in the virus Twilight Zone?

Nate Silva
Thursday, September 4, 2003

Perhaps you have other "business" problems.

SOBIG gets its address to send AND SPOOF from the address book of victums.

Perhaps the set of infected people do not have you in their address book.

In other words, perhaps you are not important enough to be in their address book...


Thursday, September 4, 2003

You don't advertize on the web, so SOBiIG doesn't get you from cached internet pages, and you're not in many address books.

The email we use for advertising for job candidates has been receiving 20-30 SOBIG affected viruses a day.

Maybe you should start looking for another job before your company folds up :)

Stephen Jones
Thursday, September 4, 2003

So apparently it's not viruses I should worry about. ;-)

Nate Silva
Thursday, September 4, 2003

And BTW MSBLASTER is not an email virus so you wouldn't see it in your email logs. But you would know if you had it :)

Thursday, September 4, 2003

You won't see MS Blaster in your email as it spreads through port 135 and not email. No need to open any email attachments to get infected by that one. Just not updating your system for a few weeks is enough.

If you did not receive any Sobig Fs you probably have anti virus software running on your server or just not a public email address. My last count stands on 40,000, most of all went to 1 rather public email address.

[root@bommel /root]# grep -c "Sobig" /var/log/maillog*

Not really a problem though, as clamav kills them on the server.

What I do get sick about is the hundreds of (automatic) warnings per day from clueless webmasters that think that it is a good idea to warn me about a virus that spoofs its from address.

jan Derk
Friday, September 5, 2003

For a certain period we were getting one Sobig.F bounce every two seconds average.

Just me (Sir to you)
Friday, September 5, 2003

My email address is known to many people, and I get a whole lot of spam so it's on lots of lists but I don't seem to have received a single copy of this virus anyway. I think someone just made it up.

Friday, September 5, 2003

I'm in the same boat as the OP.  I hear about people being affected by these viruses, but I've rarely seen them.  At my work account, I got one of the forged bounces with attachment (which virus was that?) very early on, but our AV stripped the attachment.  And that was it.  I've never seen any on my home account.  I know our IT guys are capable, but are they really that much better than everybody else's IT guys?

Friday, September 5, 2003

Dear JB,
            SoBig gets the majority of its addresses from the Temporary Internet files folder. So unless your email is up on commonly accessed web pages you won't get hit, however many contacts you have

Stephen Jones
Friday, September 5, 2003

So there's the explanation. If Stephen's right, and I bet he is, SOBIG doesn't dredge your address book.

My company doesn't publish e-mail addresses on its web site. (We've got a feedback form that generates a FogBUGZ case.)

Nate Silva
Friday, September 5, 2003

Cause you are one tough SOB

Monday, September 8, 2003

*  Recent Topics

*  Fog Creek Home