One of my mailboxes, hosted on a third party server over which I have no control, is letting in scores of messages "from" LinkedIn which contain a nasty payload.
What I'm curious about is the header. Take a look:
Code: Select all
Return-Path: <valises1682@roofsys.com>
Delivered-To: REDACTED
Received: (qmail 26713 invoked from network); 13 Dec 2011 15:40:17 -0000
Received: from unknown (HELO 89-69-130-109.dynamic.chello.pl) (89.69.130.109)
by MY-REAL-ISP with SMTP; 13 Dec 2011 15:40:17 -0000
[b]Received: from mta900.em.linkedin.com (mta900.em.linkedin.com [63.211.90.176])[/b]
by inbound.electric.net (8.13.8/8.13.8) with ESMTP id 8UEO5D1608818
for <REDACTED>; Tue, 13 Dec 2011 16:39:42 +0100
Date: Tue, 13 Dec 2011 16:39:42 +0100
From: "LinkedIn" <linkedin@em.linkedin.com>
To: REDACTED
But there's also a third Received: line. This, at first glance, would seem to indicate that LinkedIn was involved in the mail transport somehow.
rdns on 63.211.90.176 is indeed mta900.em.linkedin.com but as Mike says, this can be faked easily. Whois says the range belongs to Cheetamail.
My trail goes cold there. "Experian CheetahMail" is legit, but is that the same cheetahmail? I can't tell.
What I do know is that the same 63.211.90.176 IP appears in messages posted about a slightly different spam/virus outbreak which was deliberately (fake) from LinkedIn (with a subject of "so now you'e on LinkedIn....".
So...what's REALLY going on? Has this mysterious part of the header just been totally faked, to make it look more legit?