I think you're correct. Here's the full headers for one of the emails with some added line-breaks to make reading easier. I hope I've redacted enough (someone please tell me if there's stuff here that shoudln't be public)
Delivered-To: [me]
Received: by 10.216.15.83 with SMTP id e61csp34535wee; Sun, 4 Aug 2013 04:14:33 -0700 (PDT)
Received: from maile-fd.linkedin.com (maile-fd.linkedin.com. [199.101.162.92]) by mx.google.com with ESMTP id ck10si13864843pad.187.2013.08.04.04.14.31 for <[me]>; Sun, 04 Aug 2013 04:14:32 -0700 (PDT)
X-Received: by 10.68.135.162 with SMTP id pt2mr17184363pbb.42.1375614872583; Sun, 04 Aug 2013 04:14:32 -0700 (PDT)
Yeah, looks like that's coming from LinkedIn's network. They're probably just setting the From: header to your friend's email address -- which is what will then show up in most email clients as the sender -- and then using the Sender: header to pass SPF.
A little sneaky on their part, but nothing too surprising.
I didn't spot any personal / identifiable information in the headers, you should be OK.
> I'm confident you will find a judge out there that considers this wire fraud.
Eek, I hope not. That would make me and anyone else who's ever written a form-mailer or similar with "-faddress@net.com" or "From: address@net.com" guilty of wire fraud.
> And any email provider should obviously immediately blacklist them. Worse than spam.
I'm a mail provider. I'd like to, but the reality is that a lot of people are on LinkedIn on purpose, and it would be wrong for me to blackhole them just because I don't like them. Fortunately, anybody on my mail system that doesn't like LinkedIn can easily adjust their own SpamAssassin settings right from the webmail interface.
Worse than spam, maybe, but I hope the defense would be able to make a compelling case that using the specification as designed doesn't constitute wire fraud...
This wouldn't be terribly different from (not that I know an example) me sending a letter to friend A and putting friend B as the return address, sending a letter by proxy. Of course in that case, there isn't even a method to see who actually sent the letter, whereas the information on who sent the email is still contained in the email.
Delivered-To: [me]
Received: by 10.216.15.83 with SMTP id e61csp34535wee; Sun, 4 Aug 2013 04:14:33 -0700 (PDT)
Received: from maile-fd.linkedin.com (maile-fd.linkedin.com. [199.101.162.92]) by mx.google.com with ESMTP id ck10si13864843pad.187.2013.08.04.04.14.31 for <[me]>; Sun, 04 Aug 2013 04:14:32 -0700 (PDT)
X-Received: by 10.68.135.162 with SMTP id pt2mr17184363pbb.42.1375614872583; Sun, 04 Aug 2013 04:14:32 -0700 (PDT)
Return-Path: <s-qOxdGdgPOAr7vHvIHn9RlC4YYGdevmogHv9xfh43oUzeCvHNq-TcFw@bounce.linkedin.com>
Received-Spf: pass (google.com: domain of s-qOxdGdgPOAr7vHvIHn9RlC4YYGdevmogHv9xfh43oUzeCvHNq-TcFw@bounce.linkedin.com designates 199.101.162.92 as permitted sender) client-ip=199.101.162.92;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of s-qOxdGdgPOAr7vHvIHn9RlC4YYGdevmogHv9xfh43oUzeCvHNq-TcFw@bounce.linkedin.com designates 199.101.162.92 as permitted sender) smtp.mail=s-qOxdGdgPOAr7vHvIHn9RlC4YYGdevmogHv9xfh43oUzeCvHNq-TcFw@bounce.linkedin.com; dkim=pass header.i=@linkedin.com
Domainkey-Signature: q=dns; a=rsa-sha1; c=nofws; s=prod; d=linkedin.com; h=DKIM-Signature:Sender:Date:From:To:Message-ID:Subject:MIME-
Version:Content-Type:X-LinkedIn-Template:X-LinkedIn-Class:X-LinkedIn-fbl; b=q1KRuTf4aDEOi5VREcMRO4Doq6XyksTGxJVZMaRGMds1RAi/nevXn8l1yGjBp3ed bSZCOz8kdSYBSnp8/gVqQ0UxpsSpQsAaZFrz1yvWjphpr7/DJKaD7Ap6sSUofZ13
Dkim-Signature: v=1; a=rsa-sha1; d=linkedin.com; s=proddkim1024; c=relaxed/relaxed; q=dns/txt; i=@linkedin.com; t=1375614871; h=From:Subject:Date:To:MIME-Version:Content-Type:X-LinkedIn-Class:X-LinkedIn-fbl: X-LinkedIn-Template; bh=+IqpICLV7N0HAZ46nQfd4mjluOA=; b=dh0hTwqcAoV966RGjsPQexTPDRGSX7o0W9IXG6sWZeDO55b4Xo8Z5riP6dRkYtbu /OO5DxfX1/8F8NHDoxK+3KR+YREUY/r0soM2EySz3S8yWd0CkVWMfpxhzRJzDTap zk0xKG+Oz3Y3jNFg+IQtv/R4uPXo83Cn1OetkC6jKfo=;
Sender: messages-noreply@bounce.linkedin.com
Message-Id: <973325106.76554970.1375614871646.JavaMail.app@ela4-app0128.prod>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_76554966_2133229866.1375614871641"
X-Linkedin-Template: invite_guest_59
X-Linkedin-Class: INVITE-GUEST
X-Linkedin-Fbl: s-qOxdGdgPOAr7vHvIHn9RlC4YYGdevmogHv9xfh43oUzeCvHNq-TcFw