Here's a port 25 forgery. One could probably do a better one, but this one shows you what still winds up in the headers and one can't do anything about when dealing with sendmail or an equally smart SMTP agent. Note than smail 3.1 is stupid.