Perhaps you missed the point where the original problem was with an email
address:
" I have this very odd email address found with one of our employees....
<hidden_user@172.17.0.1>"
Email addresses, in fact everything in rfc822 headers, are unrelated to
tcp connectivity issues. If the employee got the email I'm willing to
assume there was connectivity. If you wish, I can describe exactly how
such an address could be in the rfc822 From header of a message that could
be delivered to you - even if 172.17.0.1 is the address of the originating
device and you have no way of reaching that address.
Date: Thu, 26 Sep 2002 20:31:00 -0700
From: Tony Rall
Perhaps you missed the point where the original problem was
with an email address:
Indeed I did. Note to self: Parse properly before posting to
NANOG.
[Hopefully] on-topic response to OP after rereading: No, there
is no tracking who uses RFC1918 space. Beyond that, it gets into
SMTP header discussions, and I'll not be the one to start that
thread.
Depending on the content of the headers, this address
can be "injected" into the flow of the email. This is very
easy to do. The important thing to look at regarding the
headers from such an email are the last few transactions
I would suspect that the first few lines read IPs that are
familiar to you, that is your smtp server handling an email from
some foriegn source, than past that another foriegn source
IP. The begining IP address (this 172.17.x.x) probably starts
the whole thing out and has actually been forged or placed
there from some virtual lan that NATs out to its internet provider.
Remember that reading the headers is a bit backwards. The top is
the latest, while the headers close to the Subject or From To lines
are the origin.