My MyDoom Doom

[slycat]

This new virus, MyDoom is doing my head in. Not because my PC is infected, but because it seems everyone else in the world is. I'm getting an increasing amount of emails a day to my furry address, getting near 100 virus emails a day. I didn't realise that a) I'd be on that many people's personal address book and b) They'd be stupid enough to run the attachment. McAfee throws a flid every time I get one of these emails so now I find it easier to disable McAfee and delete them manually. Does anyone know of an effective way of filtering these messages off? My server has SpamAssassin so perhaps there's a way of configuring that to get rid of these emails?

Please let me know, I'm going mad!

Comments

Hmm...

[rasetsugalford.livejournal.com]

...my server's gone bonkers with it too... although, Hotmail's unaffected for once. O_o

The subject lines are usually things like 'Hi!' or reports from Mailer.Daemons... dunno if that helps though... I'm just gonna keep deleting the bastard things until I'm free...

[gerald_duck]

Hmm. Our spamassassin seems to be treating over 90% of them as spam, anyway, and that percentage is increasing as the Bayesian classifier is learning more of the text it uses. If you're on an old version of spamassassin, upgrade. If you're not using the Bayesian classifier, do.

If you're still getting lots of spam, try setting the threshold at 5.0 and putting in a few extra rules in /etc/mail/spamassassin/local.cf (or equivalent) that bung some more points on any addresses that are obsolete, deprecated, or given specifically to organisations likely to hand the address to spammers. For example, from our configuration:

header TO_NOSPAM_ADDR ToCc =~ /\+nospam\+/i
describe TO_NOSPAM_ADDR Recipient is a `nospam' address
score TO_NOSPAM_ADDR 2.0

header TO_DGW_ADDR ToCc =~ /dgw\.co\.uk/i
describe TO_DGW_ADDR Recipient is an old DGW address
score TO_DGW_ADDR 1.0

While you're at it, I'd also recommend adding "score HABEAS_SWE 2.0". Habeas SWE is a nice idea, but when I measured, the other day, fraudulent use of it was responsible for 90% of my misclassified e-mail, and we'd never received a legitimate message that used it.

Re:

[slycat.livejournal.com]

Unfortunately, I don't have that level of access on my server. I only pay $100 a year for hosting. However I can access SpamAssassin through a console (CPanel 8). It's disabled at the moment as other people complained about solicited email getting blocked. Looks like I'll need to re-enable it... but it's got a tolerance level if I remember rightly. What number should I set that to you reckon?

[gerald_duck]

but it's got a tolerance level if I remember rightly. What number should I set that to you reckon

As I said, I set that to 5.0, which is actually pretty aggressive for a company-wide rather than individual setting. However, I tested it on about ten thousand e-mails — both spam and ham — beforehand: the false-negative and false-positive rates were most acceptable at around that point. The complaint rate is very low.

Some SpamAssassin rules

[makenshifur.livejournal.com]

These may be of some use:-

http://www.timj.co.uk/linux/bogus-virus-warnings.cf (http://www.timj.co.uk/linux/bogus-virus-warnings.cf)

Although not going to help with the virus problem, it gets rid of those pesky virus warnings.

[a-skunk.livejournal.com]

I should probably intsall an antivirus then..... shouldn't I?

[sphelx.livejournal.com]

Some programs have filters that automatically dump emails with attachements in/on them, although i can't say i know of any personally.

Re:

[slycat.livejournal.com]

If you've received an odd looking email recently with a file attached which you then run... yes.

Read more about it here: http://vil.nai.com/vil/content/v_100983.htm

It's the biggest virus in the history of viruses!

Re:

[a-skunk.livejournal.com]

Installed Antivirus... No viruses... :)