Fighting SoBig

Almost everyone who uses email is aware of the ongoing spread of the SoBig.F virus, but email administrators are acutely (or perhaps "painfully" is a better word) aware of exactly how much time and trouble this virus is causing. Worse still is the threat of new SoBig variants; all earlier generations contained expiration dates (see the first URL below for more information about the virus), but many people are concerned that the next generation won't contain them. Fortunately, you can take steps now to harden your servers, clients, and users against future infections.

First, try to prevent users from opening SoBig's attachments. Although handcuffs might be the only foolproof solution, Outlook's attachment-blocking features are the more practical method. For Outlook 2003 and Outlook 2002, simply enable Outlook's built-in attachment-blocking feature. For Outlook 2000, you'll need to apply the Outlook Security Update, which is available at the second URL below. For all Outlook versions, you can partially control which attachment types Outlook blocks by setting up a specially named public folder and posting a custom form item to it. Plenty of documentation describing this process exists: Take a look at Chapter 13 of "Secure Messaging with Microsoft Exchange Server 2000" (Microsoft Press, 2003), the "Microsoft Office 2003 Editions Resource Kit" Web site (at the third URL below), and the Slipstick Systems Outlook & Exchange Solutions Center (at the fourth URL below).

Second, prevent users who do become infected from infecting others. SoBig.F includes an SMTP server so that after the virus harvests addresses, it can start spamming those addresses. In most cases, desktop machines have no good reason to send SMTP traffic directly to the Internet. Therefore, I suggest that you configure your border and internal routers to prevent any traffic on TCP port 25 unless one of your email servers sends that traffic. If everyone took this step, the spread of SoBig-like viruses would be greatly restricted--which is precisely why so many major broadband ISPs are restricting their clients' ability to send SMTP traffic. (Of course, this decision plays havoc with those of us who want to run Exchange servers at home.)

Third, make sure you have well-maintained, high-quality client- and server-based antivirus protection. Content-filtering tools such as NetIQ's MailMarshal and Nemx Software's Power Tools are also helpful because they can block or quarantine messages with suspect content. However, if you use such a tool, do us all a favor and turn off the automatic notification messages that tell the sender "You've sent an infected message." Because SoBig forges headers, this feature can deluge innocent bystanders with notification messages.

Finally, make sure your servers have some headroom. I've seen reports of SoBig victims getting thousands of messages per day, each message averaging about 100KB. If you happen to host mailboxes for someone with a well-known address, the next wave of attacks could spam you with gigabytes of mail per day. That much traffic can make a serious dent in your transaction log volume's free space (not to mention the effect on the size of your mailbox databases). Be sure you have adequate surge capacity to withstand brief and midsized spikes in mail and transaction volume.

SoBig.F virus description

Outlook Security Update

"Microsoft Office 2003 Editions Resource Kit" Web site

Slipstick Systems Outlook & Exchange Solutions Center

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.