The high prevalence of email worms indicates that current in-network defence mechanisms are incapable of mitigating this Internet threat. Moreover, commonly applied approaches against this class of propagating malicious program do not target reducing unwanted email traffic traversing the Internet. In this paper, we take a step toward better understanding of email worms, and explore their effect on the flow-level characteristics of domain name system (DNS) query streams that user machines generate. We propose a novel method, which uses time series analysis and unsupervised learning, to detect email worms as they appear on local name servers. To evaluate our detection method, we have constructed a DNS query dataset that consists of 71 email worms. We demonstrate that our method is very effective.