Tony,
TH> a legitimate message from someone I have corresponded with in the past. The
TH> only way to detect a fraud at the MUA would be to have a verifiable
TH> signature from Alain (this was trapped at my MTA due to the exe file). 
 yes, but no.
 first, there is an increasingly heated debate between folks who want to
 sign the message (TEOS, DomainKeys), versus others who want to secure the 
channel between
 sender and receiver (RMX, LMAP, SPF, etc.).
 Once that debate is resolved, there is still the matter of compromised
 system. The message might actually come from the purported author's
 system, but still not be from the author because it has been taken over
 by evil forces. So, even with perfect automated validation, the content
 still might not be valid.
d/
--
 Dave Crocker <dcrocker-at-brandenburg-dot-com>
 Brandenburg InternetWorking <www.brandenburg.com>
 Sunnyvale, CA  USA <tel:+1.408.246.8253>