On Sun, Aug 22, 2004 at 9:31:10AM -0400, Tom Neff wrote:
> The problem with what you are saying is that spoofed virus/worm
> envelopes include fake From: addresses, but (in my experience) not
> spoofed IP addresses. There is no easy way for the IP address for
> webmail.dzogchen.ru (a/k/a mail.dzogchen.ru, a/k/a
> byak.sinp.msu.ru) to appear in a Received: header of a message
> received at mx1.yandex.ru unless it was actually involved in
> transmitting the message.
I see a lot of spam with obviously-forged Received: headers.
I don't think you can trust any but the topmost, at least until
the mail enters your domain. I've found many of these forgeries
to be useful spam discriminators, in fact.
So, it wouldn't surprise me if virii were grabbing IP numbers from
their usual sources and stuffing them into forged Received lines.
An iplookup of the numbers in question would likely not match any
verbiage in the header, but the spam robot probably doesn't care
about accuracy. :)