I've just received an exemplary piece of spam that we can use for exercise. Here are the header lines:
Received: from unknown (HELO 184.108.40.206) (220.127.116.11)
by mail1.infinology.com with SMTP; 16 Nov 2003 19:50:37 -0000
Received: from [18.104.22.168] by 22.214.171.124 id <5416176-86323>; Sun, 16 Nov 2003 13:38:22 -0600
From: "Reinaldo Gilliam" <firstname.lastname@example.org>
Reply-To: "Reinaldo Gilliam" <email@example.com>
Subject: Category A Get the meds u need lgvkalfnqnh bbk
Date: Sun, 16 Nov 2003 13:38:22 GMT
X-Mailer: Internet Mail Service (5.5.2650.21)
Can you tell the IP address where the email originated?
Sender and Subject
First, take a look at the forged From: line. The spammer wants to make it look as if the message was sent from a Yahoo! Mail account. Together with the Reply-To: line, this From: address is aimed at directing all bouncing messages and angry replies to a non-existing Yahoo! Mail account.
Next, the Subject: is a curious agglomeration of random characters. It is barely legible and obviously designed to fool spam filters (every message gets a slightly different set of random characters), but it is also quite skillfully crafted to get the message across in spite of this.
The Received: Lines
Finally, the Received: lines. Let's begin with the oldest, Received: from [126.96.36.199] by 188.8.131.52 id <5416176-86323>; Sun, 16 Nov 2003 13:38:22 -0600. There are no host names in it, but two IP addresses: 184.108.40.206 claims to have received the message from 220.127.116.11. If this is correct, 18.104.22.168 is where the email originated, and we'd find out which ISP this IP address belongs to, then send an abuse report to them.
Let's see if the next (and in this case last) server in the chain confirms the first Received: line's claims: Received: from unknown (HELO 22.214.171.124) (126.96.36.199) by mail1.infinology.com with SMTP; 16 Nov 2003 19:50:37 -0000.
Since mail1.infinology.com is the last server in the chain and indeed "my" server I know that I can trust it. It has received the message from an "unknown" host that claimed to have the IP address 188.8.131.52 (using the SMTP HELO command). So far, this is in line with what the previous Received: line said.
Now let's see where my mail server did get the message from. To find out, we take a look at the IP address in brackets immediately before by mail1.infinology.com. This is the IP address the connection was established from, and it is not 184.108.40.206. No, 220.127.116.11 is where this piece of junk mail was sent from.
With this information, you can now identify the spammer's ISP and report the unsolicited email to them so they can kick the spammer off the net.