Most viruses and worms spread by email, hitching a ride along with all the spam. It's a particularly effective route for malware and often exploits our psychology. From "I love you" to "Bin Laden captured", the virus-mongers know what makes us click.

So how are these emails sent? In days gone by they would hook into the user's email client, but email clients are better defended now and few successful worms will bother. Instead, they install their own SMTP engine and cut out the middle-man. Once safely installed, a worm like this can churn out a huge volume of messages on a broadband-connected PC, for example.

I had an unpleasant reminder of this recently, when one such machine started sending thousands of messages with my email address as the faked sender. Spam filters can wrongly identify genuine messages, so I glanced through all my email. I was getting about 2,000 viral messages an hour. The headers identified the source of the problem, a machine on the network of a large and highly reputable UK ISP.

I emailed the complaints department, to be told that though the user would be advised, no action would be taken for 24 hours.

In the event the problem was resolved sooner, although I will never know whether my indignant protests speeded things along. This incident highlights a question: to what extent is the ISP, rather than the end-user, responsible for this kind of abuse? After all, most users have no need for outgoing traffic on port 25, other than to the ISP's own mail server. Similarly, on an internal network, responsible administrators disable outgoing traffic on port 25 from machines other than mail servers. It is not possible to enforce best practice on every individual user, but if the major ISPs took action to restrict their customers' use of this port, there would be an immediate drop in malware traffic.

In fact, some ISPs already have such a policy. AOL's Jonathan Lambeth told me that "all traffic on port 25 is redirected through our mail servers, monitored and blocked if viral". Where customers have a legitimate need for outgoing port 25, they are whitelisted on request. It strikes me that AOL has the right policy in this instance.

On the client side, many Windows XP users are looking forward to the final release of Service Pack 2, which is laden with new security features. Will it prevent worms from spewing out emails? Unfortunately not. Contrary to rumour, SP2 does not block outgoing traffic at all. The reason for the misunderstanding is that SP2 maintains an application whitelist, which makes it look as if it monitors outgoing connections. However, this whitelist restricts the applications that can listen for incoming connections, not those that can initiate outgoing connections. This is a valuable security, but it is a shame Microsoft hasn't gone further by blocking outbound traffic.

On the other hand, once a worm is installed, all bets are off whichever personal firewall you use, especially with so many Windows users running with local administrative permissions. Security has to be enforced elsewhere.