On of the problems we encounter as an ISP is the occassional customer account getting hijacked and used to send spam from the webmail interface.
To assist in tracking down the perpetrators, we've created a patch that inserts a Received header that records information so we can track down the compromised account. (In particular, the timestamp, source IP address and login name.)
The header is formatted like this:
Received: from [ip-address] (host.domain; login=username)
by hostname-of-server
with HTTP/version ;
datestamp
You might wonder "why use the Received header"; well, the simple reason is so it can be processed the same way as any other spam report - and we get a lot of those.
Is this of interest to anyone else?
-Martin