Swamped with Netsky

[jt003649]

I started doing some support work for a small office of around 50 users aprroximately 10 months ago. At that time they used an unmanaged antivirus system whereby each user had to manually update their virus definitions on their PC. We have since put into place a centrally manged system using Symantec AV Corporate Edition and we now update one server and the new definitions are pushed out to clients across the network. All seemed to be going well, until around 6 weeks ago when we started to receive between 300 and 1000 virus warnings per day, all from email attachments containing some form of the W32.Netsky virus. This has continued to be the case each day. The usual amount of warnings until this time was around 10 per week at the very most.

The email server for this company is hosted by their ISP.

I've scanned all machines on the network, and made sure all definition files are up to date. All seems to be fine internally.

Is anyone else affected like this by the W32.Netsky virus? Any suggestions to what we can do to combat this problem would be helpful?

Cheers.

 

[Grenage]

Unfortunately you are not alone with this problem, a lot of people are getting a lot of Netsky.

Still, 1000 is a huge quantity. Does the company use email so heavily that their addresses would be on so many external machines?

Out of curiosty, are the IP address or range of IP addresses the mails are coming from the same from day to day?

 

[jt003649]

The company does use email quite heavily, on a few different domains. The main addresses that seem to be hit are any info@ accounts they have, although user's personal accounts are also being hit by at least 3 or 4 viruses a day. If I remember correctly, the IP addresses in the email headers inidicate the emails are coming from various sources. I'll keep an eye on this over the next few days to confirm this though.

As part of a network upgrade for the company we have decided to bring the email server in-house and will introduce a smtp gateway server to filter any emails for spam and viruses. This should hopefully reduce the problem.

 

[Grenage]

You will definately have many more options once you control the email server.

Good Luck!

 

[Spirit]

The way I see these notifications now rather than panicing like when I got the first 30,000 is hey, my anti virus software is working. Now if I don't hear PING every few minutes I worry that my Anti virus has fallen over and letting them all through. Arrrrg Can't win!

Iain

"Its not the winning that counts but how drunk you get!" HS

 

[bfks3230]

Quite a few e-mail hosting companies do virus scanning of messages for their customers. If your e-mail hosting company isn't doing this, get one that does.

Your best strategy is to bring your e-mail in-house though. I am in the process of doing that right now in our organization. It will save us money and allow us to handle problem e-mail.

If you bring the e-mail in-house, set up a separate box dedicated to being your SMTP-in server. It will receive all your e-mail from the world, do virus scanning, and spam filtering.

Most viruses nowadays are simply spams. Viruses often come from machines that should not have your e-mail address. The viruses are specifically designed to open up relays on the machines they infect. That makes it possible to send even more spams.

Your anti-spam and anti-virus strategy should go together.

Most Internet providers and hosting companies DO NOT care about the spam problem.

 

[jt003649]

Yeah I can't understand the attitude of some ISPs when it comes to spam. I gave up on my personal ISP email address long ago due to the amount of spam it was receiving.

As far as filtering traffic at the gateway goes I've been looking at Symantec Antivirus Gateway Solution, which combines both web and smtp filtering for antivirus and spam. I'm interested to hear anyone elses suggestions for suitable products based on personal experience. One other that has already been recommended is mime sweeper.