UPS and Tax Refund messages

We generally label those as BredoLab malware here in the labs; your best bet is to either use an email filtering product, or set up your own custom filters.

As SAV should detect almost all of the zip attachments that come with those emails, you could possibly write some applescript to *silently* auto-delete any messages containing detected malware (you could go even further and do it only if it detects on, say, BredoZp -- our detection that detects the actual zip file, as opposed to its contents).  Best bet is to set up some filtering at your ISP's level though.  While my personal ISP doesn't catch as many of these as Sophos products do, it still catches enough that the ones that slip through and get deleted at the mail client are much less painful.

The biggest way to avoid these in the first place is to only give out throwaway email addresses -- webmail accounts, etc. so that 1) you've got some strong mail filtering behind your account, and 2) if it gets too bad, you can always scrap the account and create a new one.  Just give out your official account to actual people you want to communicate with; leave the other accounts for businesses and online signups.

Thanks Andrew.  I already have the throwaway addresses.  I bought a business product from mariner which seems to be where the email address has gone feral.  I suppose I am concerned that the constant popping up of the email means that it is resident still on my disk and I am not finding the true source.  As soon as I delete it, it comes again which seems to indicate that there is some connection between the deletion and reappearance.  Am I mistaken?  If not, where could it be?

If you're still getting detections after deleting the emails and attachments, with no new emails coming in, there's probably a copy of one of these stuck in a cache folder somewhere.  Your best bet is to do a custom scan and proceed as I've outlined here: http://openforum.sophos.com/t5/Sophos-Anti-Virus-for-Mac-Home/Troj-Chepvil-A-UPS-Delivery/td-p/2469/

As an alternative, it's possible you've got a Time Machine backup that's already backed the item up -- after checking the path where the detection is found, navigate Time Machine to that location and right click the file to delete all backups.

If it's not a backup, is it possible you've got this sitting on some external read-only file storage, such as a locked USB disk or Apple File Share?

Thanks.  I will try this.  Can't be Time Machine as my external hard drive has crashed and I haven't been running it for the past two weeks and it's not connected now.  Ditto read-only.  So I will try the other.  

Just to be clear, after I trash then delete the email and the attachment separately in the User/Library/Mail/etc file, which I now see comes with five other spam emails surrounding it, within 30 minutes they all pop up again as detected, all with the same file numbers (e.g 49808 - 49812) as they had previously.  There is no email in my mail client although if I run a Spotlight search, the email will then show up in the Mail client and always as having arrived on 22 February, 2011.  So it seems as though there is soemthing within my system which is generating the suite of spam emails.

I'll try the caches as well.  Thanks again.

Well, fingers crossed, I ran a custom scan specifying that it look inside everything and delete whatever it found. It tells me it found one item and nothing has popped up again since.  I believe that there was/is a file there that was generating the emails as they were not coming in over the wire - they did not get caught by the filters as a result but responded if I manually applied the filters.  Thanks again and I hope it is the last I see of them or at least that I will now be able to dispose of them as soon as they come by running the scan.

Spoke too soon. I have found that Sophos doesn't remove the messages and they have reappeared in my library file even though they appear to be not so active.  Once I removed them from library file, this reactivated whatever it is that is encoded in the messages and they are reappearing. Is this something Sophos is concerned about or should I look for another product?