> > The viruses can use the credentials of the infected user. That is > > "legitimate", until someone reading the email realizes its not and > > complains. These send 40-50 messages per IP, and is hard to detect as > > bulk. Reports from some operators of DCC clients at non-trivial sites claim that the DCC does a tolerable job against SoBig.F. This is without the Greylist support now available in the DCC client code. The DCC detects bulk mail, defined as substantially identical messages from any SMTP client senders. I'd not expect the DCC to do well against most worms or viruses. SoBig is somewhat different. (I won't talk those differences in public or with people I don't know well enough to say they'll also be descrete. Like other people who care more about fighting viruses and spam than being known as fighters of viruses and spam, I think the profit in idle chatter is not worth the cost of giving even trivial aid and comfort to the bad guys.) As has been pointed out, all of this belongs in the ASRG mailing list if anywhere. See http://irtf.org/charters/asrg.html and https://www1.ietf.org/mail-archive/working-groups/asrg/current/maillist.html Vernon Schryver vjs@rhyolite.com