Date: 2003-09-10 20:19:00
Tags: spam
Well it looks like the sobig.f email worm has successfully shut itself down on schedule (it was designed to quit propagating itself on Sep 10). It was active for approximately 21 days. During that time, I received about 80,000 individual messages sent by sobig-infected computers, at approximately 100kB each. That is a total volume of about 8 gigabytes. That is a sustained average bandwidth of about 35 kbits/sec.

I have some graphs that break down the various kinds of spam I receive. Everything else has been dwarfed by sobig for the last three weeks.

A few days after it started, I added some logging to my incoming mail, to keep track of the source of the messages. This logging covers the latest 50,000 or so messages. The top prize goes to which sent me 2,521 individual messages. There were only 2008 different ip addresses which sent me sobig messages. The top 45 ip addresses were responsible for half of the traffic.

The most annoying part of the sobig worm is not the bandwidth usage, though. The worst part is dealing with the hundreds of messages generated by automated "virus" checker email gateways. Several times a day I would manually delete dozens of messages generated by mail gateways that identified a sobig.f message and assumed that my computer was infected because my name was in the From header (sobig.f sends messages with random To and From headers pulled from the Internet Explorer cache of html pages, among other places). I didn't explicitly count these messages, but I estimate approximately 2,000 arrived.

I believe I only received one human response to a sobig message:

From: K Fick <>

I wonder how many of these responses K Fick wrote before getting tired of it.

It would be really nice if the anti-virus email gateways would avoid sending alarming messages to the purported sender of sobig-generated email. This practice probably exacerbated the problem because lots of people who were not infected with sobig.f (or for technical reasons could not be) received authoritative-sounding messages saying they were. Of course, the anti-virus companies probably love doing this because it drums up interest in their product. But it's really annoying to receive the same anti-virus bounce message dozens of times a day. Apparently sobig isn't very creative and often sends the same messages over and over and over.

Anyway, it's good to have some respite from the flood of junk the sobig worm has generated. I'm sure it's only temporary though; sobig.a through sobig.e were much less effective. Sobig.f raised the bar. I'm expecting sobig.g to be even worse.
Yep. Let's find the little 12-year-old "l33t h4xx0rz" that write this shit and string them up somewhere where vultures can tear out their livers.

That's my solution, at least.
Don't think for a second that these have been written by a "poor" suburban white pre-teen crying for attention because mommy and daddy are having a marital meltdown on their way to Starbucks.

Take a gander at:

Read before moving on to
Scummy, slimy Capitalists wanting to hawk their cheap bullshit wares piss me off even more than acne-covered, mistreated 12 year old "h4xx0rz".

I'd probably string up the spammers and use them as an example for the 12 year old: "THIS WILL HAPPEN TO YOU, YOU LITTLE SHITHEAD, IF YOU DO THIS!"

Kids are resilient and can learn. Slimy bastards are worthless scraps of human skin filled with rotting garbage.
It would also help if MS didn't ship Windows in a configuration that's vulnerable to attack if you don't secure it yourself.

/me pets firewall
The sobig worm is a lot more about people than Windows. You might be thinking of Blaster, which can be prevented by correct application of a firewall. But sobig is an executable attachment that people run, and in doing so it infects their computer.

If people wouldn't click on files where the only text is "Please see the attached zip file for details", then sobig (as it stands today) wouldn't work. But that will never happen.
Heh, /. is running a story about the reply messages and links to:
Ah thanks, that statement from FRISK is exactly what I was hoping to see.
Greg Hewgill <>