I recently got an email question from a reader asking about where spam is coming from, that is, who is the originator of the spam message? The reader was a little confused about the header information, so below is a quick guide to interpreting email.
Basically, the sender of the spam is the last IP address in the headers of the message. To get the headers in your email client, in Thunderbird press Ctrl + U. In Outlook, right-click on the message and select Message Options. Below is an example spam message that I recently got, but I have edited some of the important contact information.
From - Sun Jul 30 11:41:23 2006
Received: by mail68-red ([126.96.36.199])(MessageSwitch) id 1154277461979001_18661; Sun, 30 Jul 2006 16:37:41 +0000 (UCT)
Received: from S0106000b6b4c0bd1.vc.shawcable.net (S0106000b6b4c0bd1.vc.shawcable.net [188.8.131.52])
by mail68-red.bigfish.com (Postfix) with SMTP id 736345663E5
Date: Sat, 29 Jul 2006 21:38:18 -0300
From: "Dionne" <Dionne@rodrun.com>
User-Agent: Thunderbird 184.108.40.206 (Windows/20060516)
Subject: this weeks top stock is GLXI - build a strong position
X-Spam: Not detected
In the above example, the first Received: header is the mail server that received the message at the very end of the message routing process. The one in purple highlight is the original sending IP address, the one who sent the spam. You can then do a reverse IP lookup (ie, find out who the IP address belongs to) by going to any number of sites on the internet. I did a quick MSN Search and this one came up. Simply pop in the IP address and click "Look Up."
Please note that this explanation is an oversimplification of how email headers work, as they can be forged. For a better and more informative explanation, please see the below articles: