yes you are correct. Klez doesn't keep the real from address.. so it can be seen as it was sent from someone who is not infected -----Original Message----- From: Darien Allen [mailto:drallen@xxxxxxxxxxxxxxxxxxxx] Sent: Thursday, August 22, 2002 4:03 PM To: [ExchangeList] Subject: [exchangelist] Dealing with Klez noticies http://www.MSExchange.org/ I've had an influx of a few users who are receiving administrative notices from other servers that the emails they are sending out are infected with Klez. As you know Klez works by attaching to the "To" portion of the email ANY email address it finds in the addressbook of the infected user. So that it looks like it's coming from a different person that the one whose really infected. I've told my users that there systems are clean (I've run 2 different Klez detection utilities to confirm this) and that there unfortunately isn't anything I can do as the infected person could be anyone who has ever sent them an email address. Am I correct in this regard? Darien Allen Center for Poverty Solutions --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/02 ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: robert@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') This mail was content checked for malicious code and viruses by GFI MailSecurity. GFI MailSecurity provides email content checking, exploit detection and anti-virus for Exchange & SMTP servers. Spam, viruses, dangerous attachments and offensive content are removed automatically. Key features include: Multiple virus engines; Email content & attachment checking; Exploit shield - email intrusion detection & defence; Email threats engine - analyses & defuses HTML scripts, .exe files & more. In addition to GFI MailSecurity, GFI also produces the GFI FAXmaker fax server & GFI LANguard network security product ranges. For more information on our products, please visit http://www.gfi.com. This disclaimer was sent by GFI MailEssentials for Exchange/SMTP.