Sounds to me like how one reconfigures a compromised server to deliver a Trojan. Unless you had actually requested a CORI, highly unlikely the actual origin is the stated return address. Not speaking for $DayJob