We have been getting hit with the W32.Sobig.F@mm worm since last week. Sometimes the SPAM from this worm comes in at a rate of THOUSANDS PER MINUTE, which tends to cause mail routing to stop. We use a standard of 2 mail boxes on each server, mail1.box and mail2.box. When this condition occurs, you can open mail1.box and mail2.box and sometimes see in excess of 50,000 pending mails in it.
What I ideally wanted to do was to create a "Before New Mail Arrives" agent in mail1.box and mail2.box. However, because these databases do not have a .nsf extension, Agent Manager will not run scheduled agents in these databases. What we have done instead is to create a separate database, say for example, temp.nsf, and put a scheduled agent in there that runs every 5 minutes (the maximum allowed), and this agent is coded to open mail1.box and mail2.box and find and delete SPAM that meets certain criteria. However, if the SPAM are coming in at a rate of thousands per minute, then this agent is useless, because in the space of 5 minutes we will get overloaded with thousands of SPAM, and mail routing will slow to a crawl or stop altogether.
Is there any way to get Domino to use different file names for the mail boxes (such as via a notes.ini parameter or something) so that I could use mail1.nsf & mail2.nsf instead of mail1.box and mail2.box? That way, I could put an anti-SPAM "Before New Mail Arrives" agent in these databases and it would hypothetically delete the SPAM before they are deposited there, eliminating the buildup of thousands of documents in these databases.
Ideally, we would want to deny incoming mail connections based on IP address, but in our case we can't do this. All incoming SMTP mail from the Internet first goes to our mail firewall (non-Domino), then gets passed to Domino. Domino cannot reject based on IP address because it sees all inbound mail as coming from the IP address of the firewall (making IP address filtering useless). I have asked many times whether we can have Domino accept SMTP mail directly from the Internet, but our IT managers are unwilling to do this.
Does anyone have any suggestions as to how to block this stupid W32.Sobig.F@mm? I have read that it is supposed to deactivate on September 10, but that's still weeks away and I am having to spend hours every day manually clearing out the mail1.box and mail2.box when mail routing slows to a crawl. Any ideas would be appreciated.