We haven't seen any Sober.P get through ClamAV yet (freshclam updated the signatures just on time), but it's been a real nuisance the past 3-4 days and I know a lot of PCs and external networks are infected. We went from receiving 100-300 viruses per day total (we do approx. 1 million messages/day volume), to 15,000 viruses per day total (99% of those being Sober.P).
Something I've found that helps cut down on the virus scanning: When you receive a self-mailing virus, check the IP's reverse DNS for any signs that it might be a real mail server. If not, block it for a short period of time. We use 24 hours, and look for patterns like ip-add-re-ss-dsl.whatever vs. mail.something or mx.something.
In the past we used to get lots of repeats, usually to the same sets of addresses. Blocking the IP really cuts down on the load -- our virus count only jumped by a factor of 10 on Monday -- and since we're scanning inbound mail, it rarely collides with our own users who would normally be sending mail.
In fact, the only time I can remember having a problem with it, one of our customers had received a copy of a virus (either defanged before the signature was added or from another source, I forget which) and had the sense not to open it... but forwarded it to their network consultant, asking "Is this a virus?"
The main nuisance Sober has caused here has been all the bogus bounces.
-- Kelson Vibber SpeedGate Communications <www.speed.net> _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
