The major problem here is the AV stuff will catch it, but most major blue chips will generate an email back to what it believes is the sender, remember the address has been spoofed, so the email hits a mailbox, and that person then panics, I didn't send it, I don't even recognise the address, I wasn't even in at that time, blah, blah, blah....
Bagel, MyDoom, Netsky all use the same techniques