Holy Deluge of Microsoft Worms, Batman!

"Here, Outlook Express, run this program."

"Okay, stranger."

— Clifton T. Sharp Jr's Usenet signature

On Thursday 2003-09-18, my Internet mailbox J.deBoynePollard@tesco.net began to receive copies of the W32/Swen.A@mm Microsoft Worm. By Friday 2003-09-19 00:30, the rate of arriving messages had already grown to 1 per minute.

Over subsequent days, this rate increased and the mailbox has been completely filled several times. On Saturday 2003-09-20, two copies of the Microsoft Worm were arriving per minute. By Monday 2003-09-22, five copies of the Microsoft Worm were arriving per minute. At this point, during the time that it takes just to retrieve a mailbox-ful of messages off the POP3 server, another couple of hundred arrive.

I could have probably deleted the mail somewhat more quickly with IMAP, but TescoNet does not provide IMAP service. TescoNet also provides no filtering before mail reaches my mailbox. It is an advocate of client-side filtering (i.e. downloading all of the mail via POP3 in order for one's own machine to inspect it, which is what I was doing), and its advice is to

just delete unsolicited email and forget it

because

It's quick, it's easy, it takes only seconds, plus it's virtually stress-free

My experience is that this is, on every point, a lie.

I spent vast amounts of time simply deleting

Moreover: I worked out that at the peak of W32/Swen@mm I was consuming network bandwith between my machine and tesco.net's POP3 server (to download the mail and then "just delete the unsolicited mail and forget it") at the rate of 1.03 GiB per day. That's over the 1GiB/day threshold at which my ISP determines that a customer is incurring excessive use, just to keep my mailbox clear of junk in the manner that my ISP prescribes and do nothing else over Internet at all.

Users of Microsoft's sophomorically broken mail software (The flaw in Outlook Express that this Microsoft Worm takes advantage of is an amazingly asinine piece of bad design.) and moronic mail administrators who really should have known better, ruled what I did with my day and caused so much bandwith to be consumed in dealing with the results of their actions that my ISP would have cut me off.

On 2003-09-22 I therefore decided to stop being Sisiphus for a while.

The rock rolled down to the bottom of the hill, and I decided to let it stay there. My mailbox filled up, with nothing but copies of the Microsoft Worm and stupid messages from mail system scanners, and I left them there. As a consequence, TescoNet's SMTP Relay server rejected all further incoming mail with an error.

For months, things remained this way. TescoNet "helpfully" emptied my mailbox on 2003-09-25. It promptly filled up with another 125MiB of Microsoft Worms, at three per minute. I emptied it again myself on 2003-09-26, and again it filled up in short order. I checked the Microsoft Worm traffic level at occasional intervals thereafter.

By 2003-12, the level of W32/Swen@mm traffic had died down to the extent that my mailbox would fill up slowly enough that I wouldn't have to spend all of my time emptying it just in order to make it usable. I therefore started pushing the rock up the hill again.

But this didn't last. The W32/Mydoom.A@mm Microsoft Worm came along in 2004-01. Not only did I start receiving copies of that from witless people all over the world, but there was a concomitant resurgence (which I have not found an explanation for) in W32/Swen@mm right along with it.

As of 2004-02-13, I'm back to receiving roughly one copy of W32/Swen@mm per minute. I've therefore let the rock roll down to the bottom of the hill again.

Once bitten, twice shy. If I switch my well-known public mailbox to somewhere else, that's going to suffer in the same way eventually (and the mailbox name harvesting techniques are always improving). If this Microsoft Worm dies down again, there will just be another along in a month or so.

I've decided to give up on SMTP-based Internet mail as a bad job.

Be warned: Where I am is where you will be soon, no doubt.


© Copyright 2003–2004 Jonathan de Boyne Pollard. "Moral" rights asserted.
Permission is hereby granted to copy and to distribute this web page in its original, unmodified form as long as its last modification datestamp information is preserved.