Often, you can isolate it to a single machine by analyzing the one portion of the header your own e-mail server provides. Figure 1 shows a real-life example (all real names have been changed).
by lodestone.techtreaser.net with ESMTP
2005 04:40:22 -0500
Subject: Re: Your Applicatiom Date: Fri, 4 April 2005 09:36:35 -0600
The important data is in the Received: line. Each time a server receives an SMTP message, it is supposed to add a new Received: line at the beginning of the header block. The topmost line will have been added by your server.
My e-mail server added the topmost line in this example; since there are no other Received: lines further below it, it is probably safe to assume that it was delivered directly to my system by an embedded mini-SMTP engine running on an infected machine. Had there been more than one Received: line, the first one might have been a relaying mail server. As servers are not as likely to be infected as clients, you may want to skip down to the second entry.
Your concern should lie with the information provided by your server.The data in parentheses following the "from" information supplied by the sender. The sender-provided information will almost always be invalid in virus and spam mail, so you can just ignore it.
In this example, the information added by my server consisted only of the IP address of the machine handing me the message—10.10.8.112. That's the least amount of information you'll get. There may also be a machine name before the IP address, but still within the parentheses. If present, it is also trustworthy information and saves you the next step.
Two tools are needed to discover and verify the name of this machine and the owner of its domain: nslookup (host, on some operating systems) and whois. Both nslookup and host provide DNS lookups against hostnames or IP addresses. Figure 2 shows example of nslookup:
Figure 2 Use of nslookup
server: Name of your mail server
Address: IP Address
Name: Name of sender's mail server
Address: IP Address