As a sysadmin I use another nice little trick to help detect the undetectable new virii etc. Since so many of these virii nowadays carry their own SMTP engine they do not try to use the SMTP server in house they will mail directly through open relays out in the world. I set my firewall to only allow outbound SMTP from my internal mailserver and to send an immediate message to my workstation if it detects outbound SMTP attempts. If your mailserver is at an ISP tell the firewall to only allow outbound SMTP to it's IP address and warn if attempts are made to any other. That way you know immediately you have an infected machine and which one it is.