Sober-Y Virus Doubles Number of Rejected SMTP Connections During December 2005

Joe St Sauver, Ph.D.
Director, User Services and Network Applications
joe@uoregon.edu

You may know that the Computing Center has been battling email spam, viruses, phishing, and other unwanted email traffic for many years now. We've primarily focused on blocking unwanted email originating from known spam sources, as well as unwanted email originating from compromised broadband-connected consumer systems acting as "spam zombies." [1]

What you may not know is just how hard the bad guys have been hammering the UO's email servers, or how rapidly the general worldwide email environment has deteriorated over the last month or so.

Specifically, the number of rejected inbound email connections on the main uoregon.edu SMTP servers has skyrocketed from under 200,000/day to over 450,000/day (see the graph above). That's a tremendous increase to have occurred literally overnight. As you look at this graph, please note:

1) The graph shows rejected email connections, not rejected email messages. Each connection may represent one blocked email, or a hundred or a thousand or more--there's no way to know for sure without first accepting all inbound messages, good or bad, and then (and only then) categorizing each message as wanted or unwanted.[2]

2) In some cases, there may be tens of thousands of rejected connections, all associated with a single system that refuses to take "no" for an answer. Just as one example of this, consider rejected connections associated with the host 234.157.204.68.cfl.res.rr.com [68.204.157.234]:

While a dozen systems running that hot could account for the doubling in rejected connections we're currently seeing, most connecting hosts do not repeatedly connect tens of thousands of times the way this example has been doing.

3) The graph included with this article covers all types of rejected inbound email connections, including conventional spam, viral messages, phishing/fraudulent email messages--and yes, even inadvertently blocked legitimate email.

That said, do we know (or at least think we know) what's been causing the huge increase? The answer is yes. While there were over 17,000 new viruses or virus variants in 2005, we believe that the jump in unwanted connections we're seeing is almost entirely associated with a single new virus: Sober-Y.[3]

In case you can't keep your viruses straight without a scorecard, Sober-Y is the mass mailing worm that emerged in earnest around Thanksgiving, which corresponds nicely with the jump in rejected connections shown in our graph. Sober-Y sends infectious email messages purporting to be from the FBI, from the CIA, or in the case of German language versions, from the German Bundeskriminalamt (BKA). The body of the English-language Sober-Y message usually claims to have "logged your IP address on more than 30 illegal Websites. Please answer our questions!" Of course, no such logging has in fact taken place, the message was not from the FBI [4], the CIA, or any other federal agency, and if you opened the enclosed attachment your system would become infected and the process would iterate. (Other less commonly seen variants of the virus claimed to include a Paris Hilton video as an attachment, or to be a registration confirmation.)

Here at the UO, from a user's point of view, Sober-Y was largely a non-event. Many of our users didn't even know that Sober-Y was in circulation. The antivirus filtering on uoregon.edu [5] did a great job of preventing Sober-Y from reaching user mailboxes, and copies obtained by UO users via departmental mail servers or other third-party email systems were well blocked by McAfee on the desktop (McAfee had definitions effective in blocking Sober-Y in distribution as of November 16). [6]

Unfortunately, there are systems elsewhere on the Internet that were not so well protected, and many of those systems were apparently compromised by this malware. Those compromised hosts continue to hammer away at SMTP servers all around the world, including ours. Postini, a major integrated message management service, declared Sober-Y to be the biggest virus outbreak it's ever processed--twice as large as the largest previous attack on record.[7] At least in some cases, Sober-Y is known to have resulted in email backlogs and delays,[8] although the UO's email servers have continued to function normally.

As mentioned in reference [6] at the conclusion of this article, Sober-Y is apparently scheduled to update itself on Friday January 6th. However, it remains to be seen if that update will be effective, given the success that antivirus vendors have had in cracking the scheme that Sober-Y had planned to employ.

In the meantime, we appreciate your patience as we deal with the panoply of online threats we collectively face each day. We know what a pain spam, viruses, worms, and all the other types of unwanted online traffic can be, and we're working hard to keep all of it from affecting your work online.

If at any time you want to opt out of the UO's default spam filter (or if you've opted out and think you might want to opt back in), you can do so by using the interactive form online at http://password.uoregon.edu/allowspam/

Questions, comments, concerns? If you're a UO faculty member, a UO student, or a UO staff person and have any questions about Sober-Y or virus and spam filtering at the UO, feel free to contact me (joe@uoregon.edu or 346-1720).

Notes:  [back to top]

[1] For more information on spam zombies, please see

http://www.uoregon.edu/~joe/zombies.pdf
http://www.ftc.gov/bcp/conline/edcams/spam/zombie/

[2] Unfortunately, it simply isn't practical for us to initially accept all inbound messages, regardless of whether they're good or bad, for several reasons:

- If you don't reject unwanted messages at connect time (e.g., while the remote server is still connected to our mail server), there's a real problem when messages you've initially accepted subsequently turn out to be spam, or to be otherwise unwanted. Why? If you initially indicate that you're accepting a message, telling the remote transferring system that you're going to do so, you really should deliver the message--unless you subsequently notify the sender that you won't be doing so.

- Virtually all viral email and spam email has a forged apparent sender address (also known as a faked “From:” or a faked “Reply-To:” header), usually the name of some innocent person.

- Because the remote server is no longer connected (it disconnected after you accepted the message) and because the apparent sender address is untrustworthy, you have no effective way of reporting that you've got a message that you said you were going to deliver but which in fact you really can't.

You now understand why we strive to reject virtually all messages at connect time: if a message cannot be delivered, the remote server immediately gets the bad news while it is still connected, thereby allowing it to alert the sender to the nondelivery of their message.

- The other reason why it really isn't practical to initially accept all incoming mail, regardless of whether it is good or bad, relates to the relative volume of bad-to-good email right now. Currently, depending on who you listen to and how you define unwanted email, between two-in-three and nine-in-ten incoming email messages are unwanted. To handle all that ultimately unwanted email, your email server's capacity would have to be increased nearly tenfold, just to accept mail you'll ultimately discard. That's a tremendous expense and a real waste of disk space, bandwidth, CPU time, etc.

[3] For more information on Sober-Y, see http://secunia.com/virus_information/23836/sober.x/
(Note that due to a lack of coordination among antivirus vendors, some refer to this virus as Sober-Y, while others refer to it as Sober-X)

[4] The official disclaimer notices can be seen at

http://www.fbi.gov/page2/nov05/emailscam112205.htm
http://www.cia.gov/cia/alerts.html
http://www.bka.de/pressemitteilungen/2005/pm211105.html (in German)

[5] http://www.clamav.net/

[6] http://vil.nai.com/vil/content/v_137072.htm

[7] http://www.postini.com/news_events/pr/pr112905.php

[8] http://www.washingtonpost.com/wp-dyn/content/article/2005/12/07/AR2005120702471.html