Thoughts on W32.Sobig.F@mm and spam
Thoughts on W32.Sobig.F@mm and spam
I have a spam filter tuned like those Honda Civics you see with a lowered suspension and a 400 horsepower motor. It’s not pretty, but it works:
- I stay current with the latest version of SpamAssassin.
- Every email address in my address book, except my own, is added to the whitelist.
- The threshhold for being flagged as spam has been cut in half (2.5) from the default (5.0).
- I’ve thrown tens of thousands of messages at the bayesian classifier, including my archive of email receipts, mail from friends, etc.
- I have a procmail filter to look for the signature of windows executables (probably a worm) and file them into the Spam folder (might not be a worm).
I get about 200 messages per day in my spam folder. I get 1 or 2 pieces of spam per month in my inbox. False positives are about as common as false negatives – invariably a mailing from some commercial site with which I’m doing business – and easily trained away.
I haven’t really worried about spam since this got going. Every time I get a false I retrain it, and it’s definitely getting better over time (e.g. false positives used to be closer to 5 per month). I do encourage everyone who can to set up a similar system. I feel sorry for those who can’t, and kind of wonder about those who can but don’t.
A while back, before this setup had really hit its stride, I went through my site and fixed up the email addresses to all be non-functional without some human intervention (try clicking on a link to see what I mean). This had absolutely no effect on the amount of spam I received. My guess is that spammers already had my address in their lists, so all I was preventing was the address being picked up by new scans.
However, I haven’t received a single instance of the Sobig.F virus. I’ve received bounces from it, but no copies of it. From this I deduce:
- The virus is not working from a set list of targets. It’s making a target list from local information and forging from and to addresses (i.e. if you are infected it will not send out as you, but it will send mail from and to all the addresses it can find on your hard drive).
- The worm does not care if mail bounces to the to: recipient – a bounce will then go to the from: address.
- Not having your email address on your web page will make it much less likely that this worm will send you mail.
- Update: Derek reports the worm constructs its address list by scanning your hard drive for email addresses in various file types including cached web pages.
So the long and short of this is, if you want to avoid this kind of worm:
- Run a spam filter with all the bells and whistles.
- Filter for Windows executables and treat them as spam.
- Don’t leave your email address lying around online.
and if you want to avoid sending this kind of worm:
- Get a Mac :)