If you receive a spam message or anti-virus software on your system reports it detected a virus or worm in an incoming message, you can't rely on the "from" address to reveal the true orgination point of the message. It is highly unlikely that such messages actually came from the user listed in the "from" address. Most spammers and mass-mailing worms use spoofed "from" addresses, i.e. addresses that are fictitious, real addresses that were found by a worm scanning an infected system for email addresses, addresses found by spam spiders, which are programs that search the web for valid email addresses posted on websites, or addresses that are likely to be valid on a domain, such as info, information, admin, administrator, root, etc.
Sending a reply message to the "from" address warning the user at that address that his or her system is infected with a virus or to complain about spam will likely be fruitless, since that user never sent you the spam or virus. So how can you determine where the message actually orginated? By looking at the message headers. Most email clients commonly used on Windows systems hide the message headers from users by default, but, commonly, there are ways to still view the message headers.
In Outlook 2002, the procedure is as follows:
- Double-click on the message in Outlook to view it.
- Click on "View" and then "Options". A "Message Options" window appears with the Internet headers displayed at the bottom of the window.
If you want to copy those headers to an email message or file, click inside the "Internet headers" section, hit the Ctrl and A keys simultaneously to select the entire contents of that section or just click and drag with the mouse to highlight all of the information. Then hit the Ctrl and C keys simultaneously to copy the information into the Windows clipboard. Then inside an email message you are composing or a file you've opened, hit the Ctrl and V keys simultaneously to paste the information into the message or file.
Scrolling through the message headers will reveal the origination point of a message. Don't expect to find an email address associated with the true sender, but the headers will show the Internet Protocol (IP) address of the sending system and path the message took from that system to your system.