On 1 Jun 2017, at 8:28, Loren Wilton wrote:
If he is intending to hide tracking info in the headers, it seems pointless unless he is also writing an MTA of some sort that will see the headers. But maybe he didn't think that far, and it was his intent to hide tracking info. Still, it seems a little unlikely.
I first noticed similar headers in a very narrowly (but irrationally) targeted subset of spam ~4 years ago. It came from snowshoe & rent-a-virtual-sewer (OVH largely, at the time) IPs, to a set of ~1% of the users on a multi-tenant SMB (outsourcing) mail system. For a while, one or more of the absurd headers would have a cryptographic hash of the target address as the value. My theory is that these were to get tracking info through spam reporting tools like SpamCop that try to sanitize reports. Obviously the tracking token doesn't need to be derived from the target address, it just needs to be mappable back to a target, so it could be that the same tool has been evolved to use less obvious tokens.
