The virus-carrier messages may have been sent from one or more computers infected with the Klez, Exploit-Mime, or similar viruses. These are mass-mailing viruses which send copies of themselves to addresses which they find in files on the infected system. They also forge the return addresses, using - you guessed it - addresses which they find in files on the infected system. This would explain why one message had a return address that used to be valid, and the other had a return address on a system that was not powered on when the message was sent. Between Sunday morning and Tuesday afternoon, our email anti-virus server trapped approximately 4000 copies of these two viruses. In addition, our Help Desk was being inundated with phone calls and email messages from people whose addresses had been forged, and who were now receiving delivery error or "virus detected" messages. We thought we had a major epidemic on our hands, until we analyzed the logs and found that over 3700 of the virus-carrier messages came from one system, about 200 came from another system, and the rest came from less than 20 other systems, most at other sites. We have found that "Language= NoHTML" and "Attachments= No" are also effective tools for preventing a list from being used a vector for the distribution of most email-borne viruses, particularly since they do not require the list to be configured for full moderation. Never attribute to malice that which can be explained by stupidity. -- Paul Russell Senior System Administrator University of Notre Dame