In <014f01c40c49$8e996520$fbb4a741(_at_)cedata(_dot_)net> "Greg Cirino -
Cirelle Enterprises" <gcirino(_at_)cirelle(_dot_)com> writes:
When you think about it, everything in the header can be spoofed.
The Received: headers added by MTAs that you trust can not be spoofed
because they are added at the top. Other headers added above these
Received lines, such as Return-path: and Received-SPF: can also be
trusted.
Trying to determine how far down the Received: chain you can trust can
be a real challenge, but there are reasonably good techniques for
doing so.
the harder of them appears to be the IP address of the sender server
at initial negotiation, and that can be spoofed as well but from what I
understand is a lot more work, so it tends to be more valid than the rest.
Trying to spoof the IP address is *very* hard to do, if the receiving
MTA has a reasonably new OS (or a well designed older OS).
-wayne