Sobig-F Information


There has been a very fast virus spreading over the last few days, generating huge amounts of infected and unwanted e-mail.

What about the X-MailScanner header in it?

In a nasty attempt to discredit MailScanner, every message generated by the virus has a header in it that says

X-MailScanner: Found to be clean
This header has been inserted by the virus itself, it has not been inserted by any real copy of MailScanner. MailScanner successfully identifies and disinfects this virus without any problem at all.

Why am I getting all this mail from you?

First of all, the mail is not coming from us. Please read on...

This virus sends e-mail messages with a fake "From" address, which might happen to be your address. MailScanner knows about a list of viruses that do this, and knows not to respond to the sender if the message contains any of these "faking" viruses. However, it is currently up to the individual system administrators to keep this list up to date. If they haven't added "Sobig" to the list, then their MailScanner will continue to issue warnings to the senders, not knowing that they are fake.

We are working hard to inform these system administrators that their list needs attention, and have changed the default behaviour in new installations of MailScanner.

MailScanner Administrators

Please change the default setting of "X-MailScanner:" in your MailScanner.conf file, to something that includes an abbreviation of your site name, such as "X-ECS-MailScanner:" so you can distinguish your header additions from those inserted by this virus.

Julian Field