The Received lines are a chain.  You start at the top and that is the most *RECENT* place the e-mail came from.  The *BOTTOM* is where the e-mail started from ---> With one caveat.  The spammer can add Received: lines onto the bottom making it look like it really originated from somewhere else, but as you get experience you will figure out what "looks wrong" and ignore those lines.

> Received: from smtp.your.isp ([]) by smtp.your.isp with

> Microsoft SMTPSVC(5.0.2195.5329);

> Wed, 6 Aug 2003 22:25:06 +0100

Received by your ISP (Internet Service Provider).

> Received: from ([]) by

> smtp.your.isp with Microsoft SMTPSVC(5.0.2195.5329);

> Wed, 6 Aug 2003 22:25:00 +0100

Received from by your ISP.  Double check that actually is at Sam Spade:

SamSpade says: has valid reverse DNS of

So that is correct.  Please note that is a DSL connection.  I would almost bet that the e-mail originated from and that the next line was put into the e-mail to confuse the issue.

> Received: from ([])

> by with ESMTP id 31E493C63CF

> for <>; Wed, 06 Aug 2003 18:17:34 -0400

Again we check that is

Same Spade says: has valid reverse DNS of

Something is not right here.

We look up in Sam Spade:

Nothing is found.

We look up in Google:

Google hasn't heard of it.  Also note that the times for the Received line above is:

Wed, 06 Aug 2003 18:17:34 -0400

The Received line above it is:

Wed, 6 Aug 2003 22:25:00 +0100

So we correct for the same time zones we get:

Received #1: Wed, 6 Aug 2003 21:25:06 +0000

Received #2: Wed, 6 Aug 2003 21:25:00 +0000

Received #3: Wed, 06 Aug 2003 22:17:34 -0000

So either the third Received line was faked (A very good possibility) or the machines times were all screwed up (less and less a possibility).  I would discard the last line as faked.

Therefore we would send a complaint to whoever owns:

We go to Google and search for abuse and

Don't find much so we go to Sam Spade or Abuse Net and take a look for

Tells us:

Sam Spade tells us:

It traces through Verizon so I would send the complaint to  If it tells me that the person to complain to is not a "major" Internet Provider I take a look at their web page.  If it looks like they address spam issues then I send them the complaint otherwise I let the major Internet Provider handle it.

Everything below this line is easily faked, so you can ignore this part for the most part.

> Message-ID: <u-64i-8se8$q476-5b49-7y@tjb1voib2>

> From: "Molly Baxter" <>

> To:

> Subject: Jenni Lopez exposed nipple pics

> Date: Wed, 06 Aug 03 18:17:34 GMT

> X-Mailer: Microsoft Outlook Express 5.50.4522.1200

> MIME-Version: 1.0

> Content-Type: multipart/alternative;

> boundary="A45.B_.CD.5.EC46"

> X-Priority: 3

> X-MSMail-Priority: Normal

> Return-Path:

> X-OriginalArrivalTime: 06 Aug 2003 21:25:04.0639 (UTC)

> FILETIME=[33C138F0:01C35C61]

One more note, some of the spammers "name" their computer something that looks real, like "" or "".

> Received: from ([]) by with

> Microsoft SMTPSVC(5.0.2195.5600);

What is fake is the portion "".  That is what the spammer "named" their computer. Complain to gives us has valid reverse DNS of

Next we reverse check with Sam Spade:

The DNS search shows nothing, and traceroute said it doesn't exist.  So the initial Sam Spade lookup is correct.