Net filtering provider MessageLabs has done a back-flip after yesterday releasing figures suggesting the number of e-mails infected by Sobig.f targeted at Australian inboxes was small.

MessageLabs yesterday said that less than 0.32 percent of 1.4 million e-mails found to be carrying the virus by its heuristic scanning system were targeted at Australians. However, today the company moved to reverse perceptions Sobig.F (w32.sobig.f@mm) activity in Australia was limited.

MessageLabs Asia Pacific marketing manager Jack Handley has conceded that the figures released by the company yesterday should be disregarded as the company's Australian-only business represents a very small percentage of its client base.

MessageLabs now says it stopped 250,000 copies of Sobig.F on behalf of its Australian clients within the first week of its release. Given, said Handley, that Messageabs monitors less than one percent of Australia's e-mail traffic, he conservatively estimates that Australian e-mail gateways carried a quarter of a billion e-mails bearing Sobig.F.

And that figure could go as high as 2.5 billion, with Handley saying that MessageLabs client-base in Australia could represent as little as 0.01 percent of traffic it monitors globally.

While MessageLabs filters normally stop around one in every 400 of its clients' global e-mail traffic every 15 minutes, at the peak of the Sobig.F outbreak MessageLabs was blocking one e-mail every 12 seconds.

Sobig.F has been classed as one of the most virulent strands of malicious code to be released on the Internet, but Handley indicated it was probable that MSBlaster played a role in its success.

According Handley, miscreants need open-relays (unsecured mail servers that freely allow unauthenticated users to relay messages to e-mail addresses) to cover their tracks when mass-mailing viruses and spam. Handley argues that during the confusion caused by MSBlaster there would have been an increase in the number of open-relays available for mischief.

"Anywhere that server security was compromised -- [MS]Blaster is the kind of exploit where that can happen -- can be used to relay either spam or viruses," said Handley.

According to Handley, most Trojan-type viruses only have a 12-hour window of opportunity in which anti-virus companies scramble to updates their software to halt the spread of new code

Sobig.F is the fifth variant of the Sobig trojan to be released by virus writers since January. New mutations are expected after the virus expires September 10, 2003.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.