Over an 11 hours timespan today, I received 5923 SoBig.F and bounce messages. Some of those may have been real email, but less than 5. And I'm happy to lose them. That's 471Mb of email, which came in at about .7 Megabytes a minute.
Now that I've got some overwhelming statistics, I'm going to delete all this crap.
But, since I like knowing this crap, I'm logging all the headers.
:0 Bh
* L7IthuqUttkbaI5toW/Ma9cREwXJr2bGKxWUSLB1PIIaS01RbFxQRCXoVDbDEpq4Y
sobig.f
Update:
This is a little more liberal, but SoBig.F seems to be spitting out malformed date headers. So even if something inline has stripped out the virus content, this rule will catch em:
:0 Hh
* Date:.*--
sobig.f
