Sobig.F spoofs the sender name, thus the From line is no indication of the actual sender nor of the infected person from which the worm is being unknowingly sent. Sobig.E also includes its own SMTP engine, thus it works independently of the mail client and infected persons will not find copies of the worm email in their Sent folder. To locate addresses for both the From and To, Sobig searches files that have the following extensions: .DBX, .EML, .HTM, .HTML, .TXT and .WAB.

SoBig.F is self-updating, thus components brought onto the system by the worm may vary and may be difficult to detect. However, systems protected with adequate firewall protection should thwart SoBig's ability to send copies of itself out as well as its abilities to perform updates without notice. Like previous variants, SoBig.F is hard coded to stop spread on a specific date, in this case on September 10, 2003. The spam proxy servers set up by the worm and any other backdoor components uploaded to the infected system will continue to function indefinitely.