Sophos has received reports from customers concerned about auto-
responders that are wrongly accusing them of sending an email
infected with the W32/Sobig-F worm.
'Sender forging' or 'spoofing' is when an email address of an
infected computer is replaced with another address, often randomly
plucked off the infected computer by the virus. Sender forging is
normally done just before the virus sends itself out to more
potential victims. By changing the address in the 'Sender' field,
no one knows who sent the email or where it came from.
Some gateway applications that scan email attachments for viral
content email auto-reply when a virus is found. If the 'Sender'
name has been forged, the auto-reply can be received by an innocent
party, causing undue confusion and stress. A false accusation may
even harm your company's relationship with clients.
"Sobig-F is not the first virus to forge email addresses," said
Carole Theriault, technology consultant at Sophos Anti-Virus.
"Other notorious viruses such as Bugbear, Fizzer, Mimail and Klez have also used
spoofing. The confusion generated has often allowed viruses to
spread faster and wider."
Sophos recommends that users do not respond to emails from
auto-responders accusing them of being infected and spreading the
Sobig-F worm. However, they should consider double-checking their
computers for the latest viruses just in case they are genuinely
It is also advisable to run email gateway scanners such as
Sophos MailMonitor to block viruses
from being sent into or out from a network - however, as seen
above, Sophos advises that setting up an auto-respond mechanism is
fraught with problems.
Further reading: Read instructions on how to
remove the W32/Sobig-F worm and ensure your system is not
vulnerable to reinfection.