Long and dull, but useful information:..
By now many folks know that emails claiming to be from Fed Ex, or UPS, or the postal service about deliveries are often scams. But people often ask how do you tell for sure instead of just guessing?
The way to tell is to look at the email’s “Full Headers.” While such a display looks daunting there are particular details you are looking for and you can ignore a lot of the other detail.
What you are looking for is the often strangely formatted Received lines. What you are interested in is what system sent me the email? Did it really come from UPS or did it come from Moon-buk-tu?
Here is an example. It claims to be from UPS about a delivery confirmation contained in an attachment. First of all UPS doesn’t do that, so you know it’s not right from the start, but let’s continue.
Email gets handed off pony express style from one computer to another and there will be a Received line in the email for every “hop.”
Received: from mail.ups.com (mail.dawee.co.id [184.108.40.206])
by mymailsystem.blahblah.com (8.13.8/8.13.4) with ESMTP id q8A9vW9W028734
by mail.dawee.co.id with esmtpa (Exim 4.69)
for firstname.lastname@example.org; Mon, 10 Sep 2012 16:54:50 +0700
From: "UPS Quantum View"
Return-Path - this can be faked so ignore it.
Received lines go in reverse order so the last one to touch it is the one at the top and usually the one you want to look at. You want to look for the name of your system that receives email for you. In this case, I’m calling it mymailsystem.blahblah.com. The top Received line is what sent it to mymailsystem. That system claims to be mail.ups.com, but look inside the parenthesis. In an ESMTP Received line what is inside the parens is placed there by the email software and rarely is forged. What is inside the parens is who really sent the message: dawee.co.id which is a system in Indonesia. UPS may be an international company, but I can assure you that a system of theirs whose job it is to send email is never going to look like this. So we can safely conclude that it is a forgery.
The second received line is who sent it to indonesia which implies the Indonesian system may have been hacked/hijacked by a virus intended to send spams and scams. This line is generated by Exim and I’m not as familiar with how those lines are formatted though I do know they are easiliy configurable and so I don’t trust them as much. It is interesting that the parens only contain a “helo” which is what the system claims its name is to the mailer (listed as from Russia but very easily faked) and the ip address in the  doesn’t match it. The IP address is from Japan. (I checked with http://whatismyipaddress.com/ip/)
The implication is that the system is lying to the Indonesian system about where it is from.
Here is another example.
This claims to be from the ADP payroll system company.
That first glance a big clue: X-Mailer The Bat!
The Bat! is a mailer that is heavily used by spammers.
Return-Path is just whatever the spammer claimed to be
Received: from adpmailer.adp.com ([220.127.116.11])
by mymailsystem.blahblah.com (envelope-sender )
with ESMTP id q8ADQiYc012151; Mon, 10 Sep 2012 06:26:45 -0700
Received: from [18.104.22.168] (helo=eqlcqhhswioo.nxqyhrp.ru)
by with esmtpa (Exim 4.69) (envelope-from ) id 1MMCKK-1644oq-DH
for email@example.com; Mon, 10 Sep 2012 14:26:43 +0100
Date: Mon, 10 Sep 2012 14:26:43 +0100
X-Mailer: The Bat! (v2.04.7) Business
Looking at the first Received line, i find firstname.lastname@example.org which is my example email system. The system that sent it claims to be adpmailer.adp.com but, again, look inside the parens. there is no name inside the parens so we have to do a little more work by using http://whatismyipaddress.com/ip/. and it tells us this system is from Denmark which again is not an ADP system.
The system that sent it to the Denmark system is 22.214.171.124 which is a system in New Jersey and again not from Russia as it claimed to be.
This example is basic forged spam. It claims to be a stock tip from Italy but is really from a system in Russia (.ru inside the parens) that has likely been broken into:
Received: from ppp91-79-82-35.pppoe.mtu-net.ru (ppp91-79-82-35.pppoe.mtu-net.ru [126.96.36.199])
by mysystem.blahblah.com (8.13.8/8.13.4) with SMTP id q88GA0nQ027380
Received: from unknown (HELO ebd) ([188.8.131.52])
by ppp91-79-82-35.pppoe.mtu-net.ru with ESMTP; Sat, 8 Sep 2012 20:10:48 +0300
Message-ID: <001b01cd8ddc ab270="ab270" comp1ebd="comp1ebd" d1d0="d1d0">
001b01cd8ddc>From: "Keith Greer"
While the email address (email@example.com) is a forgery, the name of the Russian system (ppp91-79-82-35.pppoe.mtu-net.ru) has not been - it appears the same both inside and outside of the parens in the Received line. On the second Received line you can see the system that sent the spam through the Russian one. Its identity is more protected, but it is likely 184.108.40.206 which is a system in Ann Arbor Michigan owned by Merit Network (who is a college), and I will send the full headers to the Merit Network abuse address which I’m hoping is firstname.lastname@example.org. It's likely the Merit system has been broken into as well.