This is the Hybris virus, a WIN32 virus which infects WSOCK32.DLL on Windows 95/98/NT systems. It intercepts network traffic, scanning for strings which appear to be email addresses, then sending copies of itself to those addresses. The envelope sender address is always null, making it difficult to block at the MTA level. I have seen numerous copies of this virus in the past week, all with the return address "[log in to unmask]" (not .com). This is a non-existent domain. LISTSERV postmasters can block it by adding "*@sexyfun.net" to the "FILTER-ALSO" keyword statement in the site configuration file. List owners can block it by adding that address to the "FILTER" keyword in the list configuration. For more information about the Hybris virus, see your favorite anti-virus software vendor's web site. To identify the source of a specific Hybris carrier message, analyze the message headers. If the sender's ISP is using decent mail server software, you should be able to determine the IP address from which the message originated and the mail server through which the message was sent. This information may enable you to identify the sender. At the very least, it will enable you to identify the sender's ISP. You can then notify the ISP that one of their customers is using a virus-infected machine. I forward a copy of the carrier message with complete headers, but without the attachment. On Thu, 7 Dec 2000 13:26:53 -0500, Margaret J. Brandt <[log in to unmask]> wrote: > ... the from address, [log in to unmask] is not a subscriber to my list. -- Paul Russell Senior Systems Administrator University of Notre Dame