This article is a report from the front lines as a network administrator dealing with this new worm epidemic that's going around. I first reported on Worm.Sober.P yesterday over at www.smoothsailingit.com. Here is an update.

Yesterday our Barracuda got a real workout, and basically paid for itself. My logs show that it blocked another 102 of the Worm.Sober.P virus, but that doesn't even begin to tell the whole story about how massive this infection is. We actually received about 22,000 emails yesterday . . . a slight uptick from our usual 2900.

The Barracuda blocked more than 20,000 emails so the figure showing we blocked 102 Worm.Sober.P virus emails is misleading. Most of the 20,000+ blocked emails were blocked due to invalid receipient addresses, and I would have to wager that all of those were virus-laden, not spam. We do see some of these random address attacks from time to time and some are spam-related. However, the magnitude of this traffic is roughly 4 times as much as we've seen on our busiest day, and coincides with a 12-fold uptick in the number of viruses we've caught. Most of those viruses are this lovely Worm.Sober.P, and quite probably the bulk of those 20,000 emails going to invalid addresses at our domain also contained the virus. Only 102 made it past the valid address check and were actually caught with the virus payload though.

Although the overall numbers for the day are staggering, over 15,000 of those 22,000 emails arrived within a 2 hour span between 5pm and 7pm yesterday evening. Of those emails, only 121 actually passed through and were sent to our Exchange server- a mere 0.8%. This was also the same 2 hour timespan during which we saw an overwhelming majority of our Worm.Sober.P virus emails on Monday evening. Should I expect to get flogged again tonight between 5 and 7pm? Considering that again today we have already received 3000 emails it looks like we are still in the eye of the storm.

In any case, there is a lesson in all of this. Number one, there's the same lesson we learn every time a new virus comes out- don't blindly open email attachments because you may be 2 seconds away from infecting yourself with a nasty virus. Secondly, if you are a network admin you should hopefully be keeping the principles of defense in depth in mind at all times. When your email system is getting hammered by an epidemic like this there is a greater chance that something bad is going to slip through your virus scanning engine either due to overwhelming volume or the fact that your AV scanner is picking up virus definition updates an hour too late. If you have implemented scanning at the permiter, again on the internal mail server, and yet again on the desktop, and if you are using different AV engines in all of those locations you are going to be a lot safer.

Our Barracuda actually uses 2 different AV engines as email hits our perimeter, and it pulls updates hourly. On our Exchange server and desktops we use the same Symantec engine, and I think that pretty well covers us. If I was really paranoid we could use Symantec on the mail server, and AVG on the desktops.

Just for fun I'm posting the 2 graphs on the front console of our Barracuda which show our email traffic over different time periods. The first is the hourly graph, and the second is the daily graph. You can see how the heavy traffic for the 2 hours from last night and from yesterday as a whole extended the scaling on the graphs into the tens of thousands, and squashed all the other hours/days. You can barely tell we've received any email other than these bursts of worms. All colors in the bars that are not green mean the emails were blocked for one reason or another.

Hourly Email Traffic Graph

Daily Email Traffic Graph