1. Computing

Finding the real SoBig.F sender

By

SoBig.F victimizes innocent bystanders by sending out its worm email with fake From addresses. SoBig.F searches through the real infected person's hard drive, sifting through their files looking for email addresses. SoBig.F then composes its email using the found addresses in both the From and To lines of the email.

And SoBig.F doesn't just do this once like most other email worms. Instead, it repeatedly sends the emails from the infected user's machine until its hard-coded stop date, September 10th, 2003. This can translate into hundreds, even thousands, of infected SoBig.F emails all originating from one source - but all sent in someone else's name.

Ironically, the one person whose name never seems to appear in the From field of the SoBig.F email is the actual person who is infected and whose machine is spurting out this malicious spam worm. In essence, those who never become infected by the worm are the real victims and often have to contend with other angry recipients who don't understand the forging technique and accuse them of being the sender.

As if SoBig.F's volume weren't enough, the innocent also receive the out of office replies, undeliverable messages, and virus alerts that result when the forged email encounters poorly configured mail servers and security products. These return message notifications cause additional stress for everyone except the infected person who remains blissfully unaware of the scourge to which they are subjecting their friends, families, and colleagues.

The step-by-step guide that follows, Reading Email Headers, is based on an actual SoBig.F email, from one infected source who within a short 24 hours was responsible for spamming over 300 of these emails to a single recipient.

Next page: Reading Email Headers

  1. About.com
  2. Computing
  3. Antivirus Software
  4. Windows Security Guides
  5. Finding the real SoBig.F sender

©2014 About.com. All rights reserved.