![[picture: mail i never sent!]](http://krishengreenwell.com/blog/pictures/W32-Sobig-crap-big.jpg) |
| Click to expand. |
See that? It’s part of an email I received yesterday afternoon. It’s part of a bounced message I apparently sent. Except I did not.
See the To: address? That UBC address? I don’t know who that is. See the line highlighted in blue? “btopenworld.com” is an ISP in the UK. When I first saw this note I though, gee, whoever sent this message — pretending to be me — was on a different continent. That’s pretty weak!”
Then, five minutes later, I got another message, similar to this one. Three minutes after that, another.
Alright, fine. After examining the contents of a few of the notes, I googled for a bit and discovered it was the “W32-Sobig” virus. No, not this one (or even this crazy thing), but similar. A combination of W32-Sobig variants E and F@mm, from what I can tell.
It’s particularly nasty because it causes two-way congestion — not only by sending itself to everyone in the infected computer’s email addressbook, but also setting the “From:” field in the emails it sends to people from the infected-computer’s addressbook. When the email gets blocked by all those smart, virus-flitering ISPs, those ISPs send a message back to the (in this case, spoofed) originator telling him or her his or her message was blocked.
A real life analogy: stealing someone’s addressbook (you know, with street addresses and what-not), taking two addresses out, writing one as the recipient, one as the return, putting a big note inside the envelope which says “I am a Really Bad Thing”, sealing it, and dropping it in a postal drop box. And when the mailman goes to drop it in the recipients mailbox, the mailbox snarls at the postman and says “Geez, dumb postman*, can’t you see this is a Really Bad Thing you’re trying to deliver?” at which point the postman takes back the envelope, and returns it to the address marked on the envelope — which was, of course, selected at random by a third party and not really the point of origin at all.
What a mess!
The thing that pisses me off in this situation is that it now it looks like I’m sending viruses all over the place. I couldn’t spread it even if i wanted to. I’d need Windows for that.
Update, 4:20pm: Mac OS X Hints this morning published a hint about how to filter at least some of this spam. (Probably doesn’t help much with the bounce messages, though.)
Update, 8/21, 12:31pm: Anti-virus company Sophos has written up an article about the effects of w32.sobigf on Mac users. The “bounce” messages seem to have calmed down for me, at last. Phew.