>> Can't we just hack the mailman configs to dump mails with X-sender value >> of outlook or outlook express? That would solve the problem, no;) > > Well, the only problem with that idea is that we explicitly do *NOT* have > a "Your clue must be ->THIS<- tall to ride the IETF list" policy... ;) The Sobig worm includes its own SMTP code, and places arbitrary values in the header fields. The source address is forged, and so are various other fields, including X-Mailer. The worm finds target source and destination addresses by reading files on the user's disk, not by using a specific Outlook or OE API. It propagates by "social engineering", when users open some executable attachments. User can do click on attachments with many mailers, not just Outlook and OE. In fact, the latest versions of Outlook automatically strip such attachments. -- Christian Huitema