Don't let an auto-responder fool you during Sobig worm outbreak

August 20, 2003 Sophos Press Release

Der SobigF �A;Wurm kann die EMailAdresse des Senders fälschen

Sophos has received reports from customers concerned about auto- responders that are wrongly accusing them of sending an email infected with the W32/Sobig-F worm.

'Sender forging' or 'spoofing' is when an email address of an infected computer is replaced with another address, often randomly plucked off the infected computer by the virus. Sender forging is normally done just before the virus sends itself out to more potential victims. By changing the address in the 'Sender' field, no one knows who sent the email or where it came from.

Some gateway applications that scan email attachments for viral content email auto-reply when a virus is found. If the 'Sender' name has been forged, the auto-reply can be received by an innocent party, causing undue confusion and stress. A false accusation may even harm your company's relationship with clients.

"Sobig-F is not the first virus to forge email addresses," said Carole Theriault, technology consultant at Sophos Anti-Virus. "Other notorious viruses such as Bugbear, Fizzer, Mimail and Klez have also used spoofing. The confusion generated has often allowed viruses to spread faster and wider."

Sophos recommends that users do not respond to emails from auto-responders accusing them of being infected and spreading the Sobig-F worm. However, they should consider double-checking their computers for the latest viruses just in case they are genuinely infected.

It is also advisable to run email gateway scanners such as Sophos MailMonitor to block viruses from being sent into or out from a network - however, as seen above, Sophos advises that setting up an auto-respond mechanism is fraught with problems.

Further reading: Read instructions on how to remove the W32/Sobig-F worm and ensure your system is not vulnerable to reinfection.