Here's how to find out "who sent me this email?". In fact it's a fairly big topic, and this is just a very brief summary; try searching Google for more.
Revealing the email headers
Firstly, you need to see the full headers of the email.
Envelopes and headers
Be aware that email has envelopes, and that the "To" and "Cc" headers have nothing to do with the delivery of email. Every aspect of email is trivial to forge, except for one: the "Received" headers added by any mail servers that you trust.
"Received" headers
As an email message passes through a chain of mail servers, each server will add (usually) one "Received" header to the top of the list. Therefore, the topmost "Received" header lists the server at the end of the chain. This is usually your company's own email server, or (if you download your mail from a POP3 mailbox), the POP3 server.
Each server will add a "Received" header to the top of the email, so the Received headers end up in reverse order.
For example, suppose the path of an email was as follows:
alice@example.com sends an email to bob@widgets.org
Alice's email program (e.g. Outlook Express) has the outgoing mail server set to mail.example.com
Therefore, the first server that the mail goes to is mail.example.com; it adds a "Received" header to the top of the message
mail.example.com then looks up which servers are listed as those for receiving mail for example.com. For example, let's say it's mail-relay.power.net.uk
mail-relay.power.net.uk accepts the message; it adds a "Received" header to the top of the message, above the one addd by mail.example.com
mail-relay.power.net.uk then works out that this message should go into the mailbox of the Powernet account called widgets
mail-relay.power.net.uk then sends the message to pop3.power.net.uk
pop3.power.net.uk accepts the message; it adds a "Received" header to the top of the message, above the one addd by mail-relay.power.net.uk
Therefore, the "Received" headers might look a bit like this, in this order:
Received: from [195.60.31.46] (helo=mailhub.power.net.uk)
by pop3.powernet.co.uk with esmtp (Exim 4.44)
id 1FKxID-09728-MI
for widgets@powernet.com; Sun, 19 Mar 2006 12:45:57 +0000
Received: from mail.example.com ([195.60.300.599])
by mail-relay.power.net.uk (8.12.11/8.12.8) with ESMTP id 7v0221k2JCjv41
for <bob@widgets.org>; Sun, 19 Mar 2006 12:45:57 GMT
Received: from ALICE ([192.168.1.74])
by mail.example.com (8.13.1/8.11.4) with ESMTP id qh0u3nyw01039
for <bob@widgets.org>; Sun, 19 Mar 2006 12:45:57 GMT
What can be trusted?
It's trivial to fake every aspect of email apart from one: the "Received" headers added by any mail servers that you trust. Therefore, if there's any doubt about the truthfulness of an email (and you should certainly not trust anything about "spam" until you can prove otherwise), you should trust NONE of it to begin with, apart from the topmost "Received" header.
The topmost "Received" header can be trusted, because it was added by your company's own mail server (which presumably you trust). The "Received" header will usually indicate the IP address of the previous mail server in the chain, so for the topmost "Received" header it will list the IP address of the last-but-one mail server. Therefore, you can trace the path of the email back by one "step" in the chain.
If (and only if) you also trust the mail server that you've traced the message back to, then you can trace the message back one more step, and so on. However as soon as you get to a mail server that you don't trust, you should stop, because any subsequent "Received" headers may be fake. You should consider this IP address to be the source of the email.
For example:
Received: from [195.60.31.46] (helo=mailhub.power.net.uk)
by pop3.powernet.co.uk with esmtp (Exim 4.44)
id 1FKxID-09728-MI
for widgets@powernet.com; Sun, 19 Mar 2006 12:45:57 +0000
Received: from mail.example.com ([195.60.300.599])
by mail-relay.power.net.uk (8.12.11/8.12.8) with ESMTP id 7v0221k2JCjv41
for <bob@widgets.org>; Sun, 19 Mar 2006 12:45:57 GMT
Received: from exchange.business.com ([200.12.771.44])
by mailhop.example.com (8.13.1/8.11.4) with ESMTP id qh0u3nyw01039
for <bob@widgets.org>; Sun, 19 Mar 2006 12:45:57 GMT
In this example, what's the source of the email? Is it mail.example.com? 195.60.300.599? exchange.business.com? 200.12.771.44? The answer depends on whether or not we trust the server at the IP address 195.60.300.599.
If we don't trust it, then we should ignore any following "Received" headers as possibly bogus; the source of the email is 195.60.300.599.
On the other hand if we do trust it, then we can trust the "Received" header which it added (i.e. the next one along); in which case, the source of the email is 200.12.771.44.
You should specifically ignore the From, To, and Cc headers (or at least be aware that they could be completely fake). In any case, they have nothing to do with the delivery of the email.
Fake "Received" Headers
A favourite spammer tactic is to send spam with fake "Received" headers. If you do your tracking properly (see above), this is not a problem, as tracking stops at the first untrusted host (and the fake header will be after that). The purpose of adding the fake headers is to try to fool people who don't track the "Received" headers properly, into accepting the fake header as real, thereby causing the spam to appear to come from somewhere other than its true source.
Lately, these fake Received headers have become moderately convincing, in that they use a real combination of IP address / HELO name. For example, here's a message which someone recently posted to our "abuse" mailbox, believing Powernet to be the source of the spam:
Return-Path: deborak@cablehouse.com Received: from [87.91.197.201] (HELO SpeedTouch.lan) by k66.ru (CommuniGate Pro SMTP 4.3.12) with ESMTP id 26249442; Wed, 22 Nov 2006 23:01:54 +0500 Return-Path: deborak@cablehouse.com Received: from 195.60.31.46 (HELO mail-relay.power.net.uk) by uralmail.com with esmtp (),<(N3P0S;5 =9X8P) id A,(1;+-CC5085-9W for victim@example.com; Wed, 22 Nov 2006 +18:01:38 -0060 From: Goldie Jamison <deborak@cablehouse.com> To: victim@example.com Subject: Goldie wrote:
The recipient of this spam assumed that the second "Received" line (Received: from 195.60.31.46 (HELO mail-relay.power.net.uk)) was genuine, and indicated the source of the spam. However what they should have done is asked themselves whether the host indicated by the first header (Received: from [87.91.197.201] (HELO SpeedTouch.lan)) is one that they trust. If the answer is no, they should disregard all subsequent Received headers.
How do I report spam?
One way of reporting spam is to use SpamCop. After registering with them, you can then take the spam that you want reported and forward it to SpamCop. SpamCop then does all the hard work of working out who sent the email and who the complaints / abuse reports should be sent to.