Most likely an open proxy, rather than a compromised machine. Typical spammer tactic is to bounce off these to avoid being shut down. Cheers, Gordon -----Original Message----- From: Jonathan Brewer [mailto:jon.brewer(a)worldnet.att.net] Sent: Tuesday, 24 February 2004 6:14 a.m. To: 'nznog NOG' Subject: [nznog] an interesting excercise in whodoneit. Hey Folks, It's been a while since I've looked at email headers... Anyone want to tell me which of the below headers are real, and which (if any) are forged? Instinct would tell me that it's straight-forward, and someone rooted a box in the states on a cable modem, but I have no idea what to believe these days. Cheers, JB