Not actually realted to clamav/qmail-scanner etc, but I figured I'd post this here anyway, as it seem to be the best section.
One of my mailboxes, hosted on a third party server over which I have no control, is letting in scores of messages "from" LinkedIn which contain a nasty payload.
What I'm curious about is the header. Take a look:
Received: (qmail 26713 invoked from network); 13 Dec 2011 15:40:17 -0000
Received: from unknown (HELO 89-69-130-109.dynamic.chello.pl) (188.8.131.52)
by MY-REAL-ISP with SMTP; 13 Dec 2011 15:40:17 -0000
[b]Received: from mta900.em.linkedin.com (mta900.em.linkedin.com [184.108.40.206])[/b]
by inbound.electric.net (8.13.8/8.13.8) with ESMTP id 8UEO5D1608818
for <REDACTED>; Tue, 13 Dec 2011 16:39:42 +0100
Date: Tue, 13 Dec 2011 16:39:42 +0100
From: "LinkedIn" <firstname.lastname@example.org>
In the first two Received: lines, the message appears to be going from chello.pl to my real ISP.
But there's also a third Received: line. This, at first glance, would seem to indicate that LinkedIn was involved in the mail transport somehow.
rdns on 220.127.116.11 is indeed mta900.em.linkedin.com but as Mike says, this can be faked easily. Whois says the range belongs to Cheetamail.
My trail goes cold there. "Experian CheetahMail" is legit, but is that the same cheetahmail? I can't tell.
What I do know is that the same 18.104.22.168 IP appears in messages posted about a slightly different spam/virus outbreak which was deliberately (fake) from LinkedIn (with a subject of "so now you'e on LinkedIn....".
So...what's REALLY going on? Has this mysterious part of the header just been totally faked, to make it look more legit?