details? post privately if you must. Would like to get this out...
here’s the latest on the analysis for Hot Air
http://hotair.com/archives/2010/01/25/ellie-light-speaks-and-speaks-and-speaks/
Ed, the only truthful line in the header will be
a) the one you removed showing your mailserver being connected to by the Ellie Light border mailserver.
Return-path is added by your mailserver to indicate the RCVD FROM portion of the envelope.
All e-mail has the following information:
a) Connection info, which includes the local and foreign IP address pairs. This cannot be spoofed, because e-mail is delivered via TCP, which has a handshaking protocol, and the protocol would break to the point that the e-mail could not be delivered.
b) Envelope information, such as HELO/EHLO (text identity of sending server), RCPT (To:), and RCVD FROM (From:). Only RCPT must be correct, because if you dont give a valid recipient e-mail address, the receiving mailserver does not know to whom to route the e-mail.
c) Header information, all of which can be falsified, and
d) Body information (the text of the e-mail, including any attachments). This is the payload the sender wants delivered for you to examine, for whatever purpose.
Your mailserver adds a (Received From:) header, detailing the connection information, as well as the EHLO/HELO salutation used to deliver the message; that is the line you removed.
Your mailserver also added Envelope-to from the RCPT portion of the envelope.
The Received lines in the text you provide are in the wrong order (should be latest handler first, with the lines going back in time), unless you reordered them while pasting.
My mailservers DNSBL blocks telecomitalia.it its a known nest of spammers and scammers. If anything came out of there, it was probably anonymized out of recognition.
That someone is going to this trouble to fake headers indicates a criminal operation (or that these people have obtained copies of criminal-style mailers such as SpamBlaster). Normal mailers dont do this stuff.
X-Mozilla-Keys indicates that you used a Thunderbird reader and placed the e-mail into a local folder (as opposed to using LDAP). If that header came in the e-mail, thats a bug in the senders mail agent.
I cant see anything that would give you the information you are seeking.
If you feel comfortable, put back in the missing Received line but remove YOUR mailserver (the by portion) from that line. Then well have a real piece of data to go on.
unclesmrgol on January 25, 2010 at 12:28 PM