Spammers know that they can be tracked through the â€œReceived:â€ lines in the headers. Therefore, they often attempt to obfuscate the headers to confuse matters. Although â€œReceived:â€ headers can also be forged, it is somewhat more difficult than simply forging the return address.
Most of your incoming email (including junk email) will have a total of only two â€œReceived:â€ lines in the headers: One generated by your ISPâ€™s incoming mail machine (indicating the address of the spammerâ€™s outgoing SMTP server), and one generated by the outgoing SMTP server indicating the originating IP. Although not unheard of, you should be suspicious of any additional â€œReceived:â€ headers below the second one. Sometimes, you will only find one â€œReceived:â€ line in the headers. This is because some spam software runs the outgoing mail server right on the spammerâ€™s PC (so they can avoid anti-bulk-email measures in place on their ISPâ€™s outgoing mail server).