Just investigating a rash of spams apparently originating in msn/hotmail and I have come across an interesting phenomenon.
msn/hotmail adds two headers to emails it sends, for tracking purposes:
X-Originating-Email: [email address == authenticated username of account sending the mail]
X-Originating-IP: [IP of host that injected the email into hotmail via DAV or HTTP]
In some recent samples, there is a header named:
X-Originating-Ip:
Note that this is subtly different (lower case p). The value in this field is invariably completely bogus (for example, [776.567.6.87] in a spam this morning).
Now, where we have spams with the header X-Originating-Ip:, there is no X-Originating-IP: header though there must have been one during transmission.
Just to test this, I hand cranked a message through a Domino host with Telnet against port 25 and included 2 additional headers:
X-HeaderField: Yes
X-Headerfield: No
The MIME source of the resulting email, when viewed in the Notes client post delivery shows only the second listed of these (which in the case of a real spam email being injected into hotmail DAV would have been the one forged by the spammer).
So it appears that Domino is dropping some MIME headers where their names differ only in upper/lower case.
Why would it do this? Should it not retain all MIME headers?