Scheduled agents in mail.box?

scottrma
scottrma used Ask the Experts™
on
We have been getting hit with the W32.Sobig.F@mm worm since last week. Sometimes the SPAM from this worm comes in at a rate of THOUSANDS PER MINUTE, which tends to cause mail routing to stop. We use a standard of 2 mail boxes on each server, mail1.box and mail2.box. When this condition occurs, you can open mail1.box and mail2.box and sometimes see in excess of 50,000 pending mails in it.

What I ideally wanted to do was to create a "Before New Mail Arrives" agent in mail1.box and mail2.box. However, because these databases do not have a .nsf extension, Agent Manager will not run scheduled agents in these databases. What we have done instead is to create a separate database, say for example, temp.nsf, and put a scheduled agent in there that runs every 5 minutes (the maximum allowed), and this agent is coded to open mail1.box and mail2.box and find and delete SPAM that meets certain criteria. However, if the SPAM are coming in at a rate of thousands per minute, then this agent is useless, because in the space of 5 minutes we will get overloaded with thousands of SPAM, and mail routing will slow to a crawl or stop altogether.

Is there any way to get Domino to use different file names for the mail boxes (such as via a notes.ini parameter or something) so that I could use mail1.nsf & mail2.nsf instead of mail1.box and mail2.box? That way, I could put an anti-SPAM "Before New Mail Arrives" agent in these databases and it would hypothetically delete the SPAM before they are deposited there, eliminating the buildup of thousands of documents in these databases.

Ideally, we would want to deny incoming mail connections based on IP address, but in our case we can't do this. All incoming SMTP mail from the Internet first goes to our mail firewall (non-Domino), then gets passed to Domino. Domino cannot reject based on IP address because it sees all inbound mail as coming from the IP address of the firewall (making IP address filtering useless). I have asked many times whether we can have Domino accept SMTP mail directly from the Internet, but our IT managers are unwilling to do this.

Does anyone have any suggestions as to how to block this stupid W32.Sobig.F@mm? I have read that it is supposed to deactivate on September 10, but that's still weeks away and I am having to spend hours every day manually clearing out the mail1.box and mail2.box when mail routing slows to a crawl. Any ideas would be appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
First you have to clean the servers across for this worm using any of the anti virus tool. In our case we had Symantec so we used all the procedures desribed in this note and fixed the worm. Make an announcement to users to use this procedures to cleanup there machines. Stop all of the networking activities from Internet and perform this cleanup.

http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html

None of the programming events is going to eradicate this problem. It might cause to open some other back door so that another worm can enter.

So the only answer is update your virus definitions and keep it current with OS patches.

~Hemanth
You can also find some tools specific to sobig virus in the antivirus web sites.

If you are using McAfee, do check this info
http://us.mcafee.com/virusInfo/default.asp?id=helpCenter&hcName=sobig

Commented:
There is a way to get the .box'es to be treated as .nsf's. You create file links that point to them. The administration client's FILES panel has a facility to do this.  It is basically a text file with a .NSF extension whose contents are the name of teh referenced file.

So, if I have a text fiel in m Domino data directory named mail1box.nsf, and the ocntent is:
mail1.box

Then Domino will treat it as if there is a real database file mail1box.nsf, but will actually open mail1.box whenever any process or user wants to open t -- including agent manager.

the problem is that it is the ROUTER that runs Bfeore New Mail Arrives agents.  It does this when it delivers messages to a final destination.  So, mail that gets placed into mailX.box pending delivery is never considered to be arriving, and the before new mail arrices agent does not run.

What you shoudl really be doing is to get filters installed on the inboudn SMTP relay from which your DOmio server is getting all its messages.

There may be some odd tricks you can do using the mail gateway interfaces (foreign domains).

If using R6, you can also use server-level mail rules, but those tend to be pretty slow to execute, only exacerbating the problem.

Also,your DOmino Anti-Vuris solution probably has an option to delete virus mail immediately out of mail.box, rather thancleansing it.  This may give you exactly what you want.
Exploring SQL Server 2016: Fundamentals

Learn the fundamentals of Microsoft SQL Server, a relational database management system that stores and retrieves data when requested by other software applications.

Author

Commented:
They added some subject filtering to the (non-Domino) inbound SMTP relay, and that seemed to reduce the volume for about a day or so. But then I got called over the weekend because mail had stopped routing again. When I checked, indeed the mail.box files were overloaded with SPAM again. I checked the anti-virus software on the server and it is up-to-date and has Lotus Notes Realtime Protection enabled, although I don't see very many options on that screen, so I don't think it was intended to be used as an email filter but rather as a general file-level virus scanner.

Oh well, I guess there's nothing else that can be done. Or is there?

Scott

Commented:
All current Domino mail virus scanners support deleting viral messages immeidately. If you don't see the option, either you don't have correct admin rights, have an ld version, or you are not looking at the right screen.

Whn enabled, this option will cause teh viruses to only appear briefly inmail.box before being deleted by the scanner.  The router will never route them, and you should not see a backlog in mail.box.
Scott, you've got the Symantec NAV client intalled on the server haven't you? This is indeed just a file scanner that also contains a plug in for the notes client. It does not scan email as it passes through the router.

Do you have a content/virus scanning solution in place on your domino servers?

We use an application called Applinet Interceptor that performs content scanning of all email, processing against a rule list for things like attachment type and size, keywords and phrases, profanity filtering, and of course virus scanning, through a plug into a third party AV client.

Details here ;

http://www.applinet.co.uk/webcontent.nsf/pages/interceptor

What type of SMTP smart host are you using, perhaps some more investment of time in that box would help cure these problems. Surely if your managers insist on having a smart host between the internet and domino, it must be to prevent issues like this presenting themselves at your domino server. Clearly that isn't happening right now, so I would challenge your management team that the smart host is currently failing in the job that they intended it to do.

Commented:
Intesresting, I didn't thin of asking about that.  You should be using Symantex Anti Virus for Lotus Domino, which is a separate product from Symantec's client AV.

Author

Commented:
The inbound SMTP server that Domino receives its mails from is an eSafe server. The Domino server just has the regular Symantec Client AV installed, which I realize now is not really a product designed for mail servers. I don't think the company will go for purchasing the Symantec AV for Domino because we are completing a migration to Exchange, and no one wants to throw any more money into Lotus anymore.

After some further research I have found that these SPAM we are getting are actually being caught by eSafe, but then they are modified and passed along to Domino. For example, we are receiving thousands of mails with this text in the Body:

***eSafe detected a hostile content in this email and removed it: your_details.pif (file type .pif is on the disallowed list)***

So the problem is not that we are getting infected, the problem is that Domino is getting so many of these "cleaned" mails passed to it that it sometimes stops routing mail. I have passed along a request to the people who manage our eSafe server to ask them if they could configure eSafe to just delete these mails instead of cleaning them and passing them along to Domino. No reply from them yet.

Thanks for your suggestions. I guess I'll just wait and see what happens with this....

Scott

Author

Commented:
Our eSafe administrators are unwilling to delete these mails. I guess they don't want to risk having a legitimate (albeit virus-infected) mail being deleted without some kind of notifiction to the sender or recipient. That's too bad, I would estimate that more than 99% of the time this is not what's happening, the majority of the time it's just virus-infected SPAM.

Due to the fact that we are completing a migration from Domino to Exchange, no one wants to spend any more money on Domino, so purchasing an anti-virus solution for Domino servers is out of the question. So whatever workarounds I come up with must be native to Domino. The problem is, I can't think of what else could be done in Domino (R5) beyond what we are already doing to alleviate this problem. I guess in the meantime I will just need to keep my cell phone nearby at all times :-(

Does anyone know how to make Domino run a scheduled agent more frequently than once every 5 minutes? I think if the agent ran maybe every 10 seconds or so, we would catch a lot more SPAM and delete it from mail.box before Domino attempts to route it. I suppose I could code the agent to simply run in an endless loop, and then remove the time limit on scheduled agents in the Server document, but this seems potentially dangerous....

Thanks for any help on this,

Scott
Commented:
The overhead of instantiating the agent would make running every 10 seconds LESS practical, not more.

If you can set up a management console function to check a URL every x seconds, then have it check an openAgent URL that does what you want.

Author

Commented:
Well, fortunately the Sobig worm seems to have followed predictions accurately and deactivated itself on Sep 10. We have seen a huge decline in Sobig-related SPAM since last week. While I am relieved that this is no longer a threat to our mail system, I am somewhat frustrated that we seem to be at the mercy of these spammers (i.e. what if this thing had been programmed never to deactivate itself?). But at least for now, mail is flowing much better.

I like the idea qwaletee suggested of using an ?OpenAgent URL. I had not considered this before, since we are not currently running the HTTP task on our Domino servers. I will definitely give this idea further consideration, as I suspect it is only a matter of time until the next Sobig type of attack comes along. Perhaps the ?OpenAgent in conjunction with a <META> tag that would cause the page to refresh every 10 seconds or so would do the trick. Since it was qwaletee who pointed me in this direction, I will award him (her?) the points.

Anyways, thank you all for your help and suggestions.

Regards,

Scott

Commented:
Did you implement the "console" concept?  I should amend what I said.  Better than an agent would be a servlet, which has little or no "repeat execution" cost.  Even better than that would be a console that checks the mail file directly.  Have a look at GSX, it is excellent, if a bit expensive.

Author

Commented:
I am not sure I understand the management "console" concept. Do you have a link that explains this in detail? Is this something that is available as part of a Standard or Enterprise Domino install?

Thanks,

Scott

Commented:
Nope, nothing to do with Lotus at all.  There are administrative mintoring and management tools available for a wide variety of network protocols, etc.  Some of them will probe ports, and that's itr.  Some are more sophisticated, and ca do things like sending an HTTP request, and examining the results to find good/bad patterns.  NetIQ, BMC, some Unix monioring tools will do this.

There are some even more specific, that "understand" Domino, and can probe for specific Domino tasks running, number of pending messages, etc.  I like GSX for this.

Domino's "native" admin program has some monitoring tools built in along those lines as well, but they are much weaker.

Commented:
This question is closed i guessed the problem was solved... but take a look
at http://www.tomlyne.com/kspam/indexasp.asp

This guy wrote a cool DLL that , together with a couple of simple db's work
as spam filter (yes, it also blocks extensions).

It also has an option to configure an Bayesian filter (self-learning spam filter), with
a server addon.

This "little thingy" blocks all worms in my company - its wonderful ;)

note : And it really takes some load off the mail.box'es because the filtered
documents never reach them

Kspam rulez :o)

Commented:
p.s. and its FREE !

Author

Commented:
sync957p,

This is EXCELLENT! I am still in the process of implementing this kspam on a test server, but the more I read about it, the more I like it. While reading through this treatment of how statistical filtering works:

http://www.paulgraham.com/spam.html

I couldn't help but think that almost every idea being presented was one that I had thought about at some point in time, but never had the time to implement. It was like having someone read my mind! The idea of a self-learning SPAM filter is way overdue.

If you are interested, I would like to award points to you for your help in pointing me to this potential solution. Just leave a comment in this question and I will award the points:

http://www.experts-exchange.com/Applications/Email/Lotus_Notes/Q_20748082.html

Thanks again,

Scott

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial