On Thu, Sep 11, 2003 at 04:36:02PM -0400, Steven W. Orr wrote: > that I can just add?
The point is moot. Sobig.F expired on 10-Sep-2003, due to an internal timebomb. That being said, SpamAssassin-2.55 caught Sobig.F just fine for me, no local tuning required. See http://vvv.koehntopp.de/rrd/krismailsize-1month.png for some fancy graphics (I count Spam for each day and reset the mailbox on midnight, thus the spikes). I get about 2 megs of regular Spam a day, and got 80-120 megs a day during the Sobig.F wave. This is for a single mail address (albeit one that is ancient and well indexed in Google and Google Groups, and in many people address books, thus the volume of Spam I receive). See http://vvv.koehntopp.de/spamstat/ for another type of statistics, showing nicely the very sharp Sobig.B spike around day 100. Sobig.B was able to load the second and third stage payloads from its built in web server lists, turning the infected hosts sucessfully into Spam Multiplier and DDoS Zombie networks as well as banking keyloggers. Second and third stage Sobigs do not spam any more, thus the spike is very sharp and pronunced. Sobig.F was not able to get second and third stage payloads, thus producing a much wider and higher spike around day 240, because all the infected first stage systems were spamming at record rates, and no mechanism besides the timed shutdown was available to keep them off the net. Note how neither Antivirus program vendors nor Antiterror/Cyberthreat agencies nor local providers had a useable strategy to deal with this: The spike goes on for three weeks straight, producing a 60-fold increase in mail volume for my address until the end. There is currently no mechanism at all that is part of the Internet which can lock out machines that are dangerous or detrimental to the functions of the network. There are no processes in place that identify users of infected systems and keep them off the network. It is pure luck and the foresight of the Sobig.F author to timebomb his experimental cyberweapon that we still have a functioning network. Kristian ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk