With the new crop of email viruses – the ones that fake the return address based on the same sources (address books, web caches, etc.) as the target list – you get a few interesting effects.

The first is that there is a good chance you’ll recieve many copies of the virus from the same source, with different return addresses. I saw this a lot in the recent Sobig outbreak: when our mail server deletes a virus, it logs the sending and receiving addresses and the IP of the connecting server. Some IP addresses would send hundreds of copies of the virus, all to the same recipient, all with different return addresses. So it would look like hundreds of people are sending you the same virus, but in reality, it’s just one infected machine.

The other is the “friend of a friend” effect. You may get the virus from someone who knows you (or has just visited your web page), but it looks like it came from someone who knows them (or someone else whose web page they visited). Two degrees of separation.