If you want to trace the true origin of an email you need to look at the message headers, specifically the "Received:" lines. Although the sender's address can be trivially forged, the "Received:" header lines are added by each machine on the internet that handles that piece of mail and thus are not under the control of the sender. IOW, they are quite difficult to forge.
These header lines are normally suppressed by your mail client software, because most of the time you are more interested in the message content than how it was delivered to you. I use Mozilla's "Thunderbird" email program; to see the message headers you use CONTROL-U or from the main menu bar "View...Message Source." I suspect other email software e.g. Microsoft's Outlook or Outlook Express has a similar method.
Once you have the message source, you look at the "Received:" lines at the top of the text. Here's one from a recent PayPal "phishing" attempt:
Return-Path: <service@paypal.com>
Received: from mailserver.eagleshoes.com.cn ([61.145.9.75])
by atuin.os2.dhs.org (8.14.4/8.13.8) with ESMTP id o5P011HR010485
for <john@os2.dhs.org>; Thu, 24 Jun 2010 19:01:07 -0500 (CDT)
(envelope-from
service@paypal.com)
Received: from User ([211.241.199.209] RDNS failed) by mailserver.eagleshoes.com.cn with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 25 Jun 2010 07:37:32 +0800
Reply-To: <no-reply>
From: "PayPal"<service@paypal.com>
Subject: PayPal - Please Update Your PayPal Account !
Date: Fri, 25 Jun 2010 08:27:58 +0900
The "Return-Path:" and "From:" lines are trivially forged by the sender; here they are set to imply that the message came from paypal.com. The "Received:" lines don't lie, and show the true origin. Each computer that handles the message adds its own "Received:" line above the previous one, so the last "Received:" line shows the ultimate origin of the message. Sometimes there can be quite a list of these.
In this case, the last one shows that the message was sent from someone named "User" at IP address 211.241.199.209. A whois lookup of 211.241.199.209 shows:
KRNIC is not an ISP but a National Internet Registry similar to APNIC.
The following is organization information that is using the IPv4 address.
IPv4 Address : 211.241.199.128-211.241.199.255
Network Name : KRLINE-LLINE-IM
Connect ISP Name : HINETWORKS
Connect Date : 20030619
Registration Date : 20030709
Publishes : Y
[ Organization Information ]
Organization ID : ORG280300
Org Name : IMNETPIA
Address : Seocho4-dong, Seocho-gu, Seoul
Detail Address : 1303-16Alliancheu Gangnamsaok 8Fl.
Zip Code : 135-080
[ Technical Contact Information ]
Name : Kisun Kim
Org Name : IMNETPIA
Address : Seocho4-dong, Seocho-gu, Seoul
Detail Address : 1303-16Alliancheu Gangnamsaok 8Fl.
Zip Code : 135-080
Phone : +82-2-599-5633
E-Mail :
kskim@imnetpia.com
Obviously, this is *NOT* paypal.com; the IP address in question is registered to a Korean business, quite likely a small internet service provider who resells access through the block of dynamically assigned IP addresses listed. If you feel motivated, you could contact the technical person through the email address provided. If you do complain, be sure to send the entire message, including all the header lines so the system administrator has a chance to use their system logs to track down who was responsible for the message.
The message was accepted by mailserver.eagleshoes.com.cn, which in turn relayed it to my mail server "atuin.os2.dhs.org" which tossed it to my spam filter which dumped it in my Junk folder. In any case, eagleshoes.com.cn should *NOT* be running an open email relay because spammers use them to distribute their messages freely. Running a "whois" query on mailserver.eagleshoes.com.cn's IP address (61.145.9.75) gives me (among other things) an "abuse" email address I can use to complain about their open relay and encourage them to tighten up their security to prevent this type of exploitation.
HTH...