It is easy to view the header information in Thunderbird. The header is a normally invisible potion of an e-mail message that contains all of the routing information, including the IP addresses of the sender, which includes spammers.
An invisible header is attached to each packet of information send via the internet. When your browser requests a web page, a header is attached to each packet of web page code and each object (images, videos, Flash) that is returned to your browser. The header tells the packet how to find the PC of the person requesting the information, and contains other information that is part of standard Internet communications protocols.
E-mail messages also contain a header. The header contains the IP address of the sender, as well as other information that may get attached to the header along the way, such as spam ratings that anti-spam software running on your e-mail server may apply to the message and other information added by the server. E-mail clients, such as Thunderbird, use this information to help identify spam messages.
To view the header information in a Thunderbird e-mail message, select the message, then click on the View menu and select Headers > All. The header information for the message will replace the message in the Thunderbird window.
To identify the origin of an e-mail, look for the Return-path. That is allegedly the e-mail address of the sender, although that is not a reliable method for identifying the sender because most spammers use any return e-mail address that they can find on spammer’s lists. That is why you frequently see spam messages with your own e-mail address as the return address.
The Received line is a bit more reliable, because that contains the IP address of the location from where the spam message was sent. That is, of course, unless the spammer hacked into an e-mail server or is using a relay server to disguise the true source of the message. Due to the nature of the Internet, there is no absolutely foolproof method for determining where a spammer is located using just the header information. However, sometimes the header information is useful.
When investigating the source of spam, we look for the Received line closest to the top of the header. Start scanning across until you see a server name and an IP address just right of the word “from”. That is the IP address of the server that sent the message.
You can check the location of the server using any IP geo-location web site. IP addresses are tied to specific geographic locations, so it is usually pretty easy to determined the country, city and specific server from where a message was sent. A while ago we did a study to determine which web site provided the most accurate geo-IP information. Based upon that study, we use IP2Location.com’s free GeoIP page. You can use that page to check up to 20 IP addresses per day.