Kevin asked, | I have a couple of lists using SmartList which are announcement-type | lists. Only the moderator is allowed to post to them. Today, one of the | moderators asked if his announcement was sent out twice last week. The | mail logs showed two receipts from his address to the email list's | address. One was from our mail system, but another was from a system I | didn't recognize. Since both were from him (had his email address in the | From: field), the message was sent out twice. The second one could have | possibly contained a virus, since the message size was about 1700 bytes | larger than the first. I'm a little confused about the details: this announcement list has several moderators, one of whom posted once last week, but there are two logged messages From: that moderator to the list's posting address? Likely some other list member has address book entries for both the moderator who was named in From: and the list's posting address. When Klez mails itself to someone in the infected user's address book, it takes another entry from the address book for its From: line. You can find the real sender in Return-Path:. The second worst thing you could do (the worst thing being running the attachment and infecting yourself) is to blame the person named in From:. | 2.) Is there any protection to avoid this? I can't think of any setting | to make the system reject messages from the moderator which DON'T come | from a particular mail system. Is there any other way? Moderator must | approve his own posts? Of course the moderator must approve his/her own posts, or use a secret passworded header such as Roger was describing. Otherwise, even if there were no such things as email worms, disgruntled members or other krackers could post any text at all directly to the list by forging the moderator's From: line. But it is foolhardy for a list to roll out the red carpet for every arriving message with the moderator's address in From:.