JoeJobbed, I think

Here are the relevant headers as I saw them from the list:

Received: from ([])
  by localhost ( []) (amavisd-new, port 10024)
  with ESMTP id Rv7Ib4bfEtWx for <>;
  Sun, 10 Feb 2013 19:55:34 -0500 (EST)
Received: from ( [])
  by (Postfix) with ESMTPS id 280D91F0012A
  for <>; Sun, 10 Feb 2013 19:55:34 -0500 (EST)
Received: from localhost ([::1]
  by with esmtp (Exim 4.80 (FreeBSD))
  (envelope-from <>)
  id 1U4hg5-0007zX-6D; Mon, 11 Feb 2013 00:55:25 +0000
Received: from ([])
by with esmtp (Exim 4.80 (FreeBSD))
(envelope-from <>) id 1U4hfD-00074r-27
for; Mon, 11 Feb 2013 00:54:31 +0000
X-SBRS: None
X-HAT: Message received through Sender Group RELAYLIST,
Policy $RELAYED applied.
Received: from ([])
by with ESMTP; 10 Feb 2013 18:02:46 -0700
Message-ID: <>

Unless I'm very much mistaken, I believe that last Received before the date
(combined with absence of the static IP of my mailserver) is evidence of an
envelope-level forgery.

If whomever is babysitting the list this quarter pings me direct, I'll
give them that static (assuming they can't already see it themselves),
and they can double check, but it doesn't look like it came through my
server; no appearances of in my lots between 1720 and 1855EDT.

I note also that I can't see a message body either in the copies I got
from the list, or the ones I was forwarded.

-- jra

Concur -- it looks that way from here as well. What's not clear is
whether it's deliberate or an artifact resulting from breakage.


Well, FWIW, I never use anyone's on-platform forwarding service to send
article URLs to *anywhere*, much less a mailing list, though curiously
I think I *did* put a URL about a Google KC article in a posting last
week. Don't remember if it was LAT or not. Just the three postings,
right, Rich?

-- jra

Yes, just the three. Now that I'm more caffeinated, I noticed the
presence of X-SBRS: and X-HAT: headers in all three of those. I wonder
if those are there because somebody's Cisco Ironport got its hands on
those messages and did something ill-advised with them.

Perhaps if the list-owners are listening in, they could check to see if
there are any NANOG subscribers from or; that might shed some light on what's happened here.