Depending on the content of the headers, this address can be "injected" into the flow of the email. This is very easy to do. The important thing to look at regarding the headers from such an email are the last few transactions I would suspect that the first few lines read IPs that are familiar to you, that is your smtp server handling an email from some foriegn source, than past that another foriegn source IP. The begining IP address (this 172.17.x.x) probably starts the whole thing out and has actually been forged or placed there from some virtual lan that NATs out to its internet provider. Remember that reading the headers is a bit backwards. The top is the latest, while the headers close to the Subject or From To lines are the origin. Hope this offers some insite. -Joe