I know all of that, I was just thinking that "Reiceved:" headers line are not so generally spoofed than "from:" headers line. And I really think it's the case when I look at the behaviour of virus which are in the wild.
A user sent me an example this morning. (Line-wrapped by me for legibility)
Received: from 213-153-55-213.dyn.salzburg-online.at (213-153-55-213.dyn.salzburg-online.at [213.153.55.213]) by tepin.cc.columbia.edu (8.12.11/8.12.11) with SMTP id i4DJF6Va029037; Thu, 13 May 2004 15:15:08 -0400 (EDT) Received: from mail865.pjz.optusnet.com.au ([84.180.144.0]) by xv79-e0.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Thu, 13 May 2004 18:12:40 -0200 Received: from SKCR39 (p216.66.164.202.jzmsa2.tes.optusnet.com.au [111.156.120.128]) by mail247.bjw.optusnet.com.au (11.91.5k7/1.43.1) with SMTP id x0K28Cw78016; Fri, 14 May 2004 02:10:40 +0600
This was in spam, but the kind that is sent through a hacked Windows box. The lower two Received's are fake.
And I've seen this before. There's one that pretends the origin is outblaze.com. Have you seen that one?
Joseph Brennan Academic Technologies Group, Academic Information Systems (AcIS) Columbia University in the City of New York
_______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
