At 10:39 AM 1/30/2004, Joshua Olson wrote: >The only scenario I could think of would be that a mutual acquaintance has >the virus and it picked my client randomly as the sender from their address >book. Does that seem consistent with MyDoom? Yup. Six degrees of separation. Also - the MyDoom trojan scans multiple files types for email addresses. I'm seeing infected email coming in from addresses that are only on my web pages which means it's harvesting from web caches. Via the headers you can usually find the IP address of the sender because the MyDoom trojan has it's own internal SMTP service. You can then compare that to your mail archives to see if someone else has sent you mail with that IP in the header - might be able to identify them that way. If it's a static IP, then a note to their ISP could help too. --- Anthony Baratta President Keyboard Jockeys "Conformity is the refuge of the unimaginative."