It looks like someone at my old hosting provider (JTLnet) got themselves infected with an email worm. It’s not one I recognize, but it seems to share a particularly annoying property with many other worms – it picks one address out of the infected user’s address book, and spoofs that user as it sends itself to all the rest. In fact, it’s a double spoof; the Return-path: header says one thing (always the same) and the From: header says another (varies). If I got just one hit, I’d delete it and move on, but it seems like I got picked as the lucky person whose address is used in the Return-path: so my mailbox has been filling up with bounce messages and complaints from people who received the worm from JTLnet.

One interesting aspect of this is that the SMTP servers are even accepting connections from JTLnet. I thought they did the old POP-before-SMTP trick and other checks, but apparently not.