SoBig Causes Spam Woes

The SoBig.F virus, the fastest-spreading worm to hit the Internet, struck an uncounted number of Windows PCs.

The SoBig.F virus, the fastest-spreading worm to hit the Internet, struck an uncounted number of Windows PCs this week, installing a Trojan horse that could turn infected machines into unwitting spam relays.

Even enterprises that succeeded in stripping out virus attachments found that SoBig.F had already created a huge spam headache. E-mail in-boxes quickly filled with empty messages, all using similar subject lines and often carrying spoofed return addresses recognizable to users.

E-mail in-box invader

  • SoBig.F accounted for one in every 17 e-mails at its height*
  • Total e-mail traffic increased by 20 to 25 percent at the peak of the SoBig.F attack**
  • Spam accounts for approximately half of all corporate e-mail sent*

Sources: *MessageLabs Inc., **Commtouch Software

Anti-spam software vendors scrambled for a quick fix. FrontBridge Technologies Inc., like other anti-spam vendors, advised customers to set policy filters to block messages with the nine subject lines used by SoBig.F messages. That prevented delivery of messages with subject lines such as "Your details" and "Thank you!"

FrontBridge plans to introduce technology in mid-October that will allow policy filters to quarantine messages based on content rather than block them, said company officials, in Marina del Rey, Calif. That would allow users to view quarantined messages and look for false positives.

Chris Bittner, senior network manager at CommonHealth, a WPP Group plc. company, which is using Elron Software Inc.s Message Inspector 4, set up such a block after his users in-boxes were overrun with empty SoBig.F messages. The company already had a policy in place to strip out executable attachments from messages.

"Our end users were getting all freaked out about [receiving so many SoBig messages] so we expanded the rule to block those subject lines," said Bittner, in Parsippany, N.J. "I think the risk of bringing down your mail system outweighs any risk of having legitimate e-mail blocked."


Spam-blocking software maker Commtouch Software Ltd., of Netanya, Israel, said that overall e-mail traffic had increased 20 to 25 percent due to SoBig.F.

"When you get hit with an additional 400 messages that you have to go through and delete, its essentially an e-mail blackout," said CEO Gideon Mantel.

Virus-blocking software contributed to the spam problem by generating automatic responses to the spoofed addresses.

"A lot of servers are set up to send notes to recipients and to senders when a virus attachment is received," said Sandy Whiteman, chief technologist for New York-based Cypress Integrated Systems Inc., which provides managed e-mail services. "So for each incidence of SoBig, two additional pieces of spam are generated."

Even with spam-blocking software deployed, some enterprises are resigned to dealing with the continuing annoyance of spam.

"Spam has become so commonplace that having to delete it is just an acceptable practice. Its kind of a shame," said Bruce Elgort, IS manager at Sharp Microelectronics of the Americas, in Camas, Wash.

Sharp uses anti-virus and anti-spam software from Trend Micro Inc., but Elgort declined to set up a content block on the SoBig.F subject lines. He said his users are more concerned about delayed delivery of e-mail caused by the increased volumes of traffic that Sharps e-mail servers have to process.

"At what point do we go back to faxes because theyre quicker?" said Elgort.