Obviously, if you are running several vhosts and plesk you likely have other logs to check. Also, one can usually see the origin of the mail injection in the maillog (e.g. complaints about setting to an unsafe sender) or in the outgoing messages. At runtime you can see the connects with full URLs on the apache status page. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com