Originally posted here by Maestr0
Forgive me if I havent understood you correctly but I dont see how that would matter since the AV software will connect to it's SMTP server (which should be valid) and then send an e-mail to the forged adress which will return a 'message un-deliverable(550)' from the destination SMTP server (If it even exists otherwise the local SMTP will be unable to establish a connection). Even if the AV has its own SMTP server and tries to identify the source IP in the mail header, it should still try to establish a valid session on port 25.An ICMP code 13 means a router refused to route the packet, not that that the destination host was unavailable. Why would a router not in the packet traceroute be sending a code 13 for what was theoretically a handshake to port 25 somewhere ?(these ports still dont add up )
Maestr0, it is my understanding that an ICMP type 3, code 13 can be returned for any number of reasons. If a device is set up to not route various traffic (ICMP, SMTP, TCP, UDP) it can return a destination unreachable message (which is the default on various routers).

Now having said this, the situation with the antivirus e-mail may not be my problem as I am receiving way more ICMP messages than I am virus hits.

The investigation continues..........