Here it's the third Received line, the one claiming to be "worn" in the HELO and "maxwell.fururamail.com" in the reverse DNS. Assuming the first line (from the reporter's ISP) is accurate, they picked up the message from a Roadrunner broadband account. Probably a zombie, so who knows whether lines 2 and 3 can be trusted.
None of the reports we have received have indicated that the mail came directly from "our" server. They've all been several lines in like this one.
Fair enough.. Lines 2 and 3 are almost certain to be forgeries.
IP forgery over established TCP connections is not a trivial matter if you don't control one of the boxes or a box along the route between the two (ie: your router, or their router)
No IP forgery is needed: all this takes is making up your own Received lines and putting them in the message headers before you send it.
Agreed, I specifically meant this all in context of something looking like a direct drop from your server, not 2-3 lines back..
