SPAM how to determine the originator? Exchange 2003

This assumes that somebody has not forged any of the SMTP header information.

this is for the hops, not the from

view > options > header info.
Copy paste the entire contents into notepad

check the message-id: field
Message-ID: <76131413fe3ae29312fea96dd9fbf5@tifa-5fa7cbaf0b>

If its a exchange server - the part after the @ sign is the mailbox servername.
If its java etc - it is probably scripted through some Java/PHP mailer

now look for this field
Received: from TIFA-5FA7CBAF0B.Local (tifadc05@112.105.178.186 with login)
        by smtp109.mail.tp2.yahoo.com with SMTP; 03 Sep 2010 22:32:18 -0700 PDT

--
what I do is
a) Find the originating server - TIFA in this case.
b) Search for TIFA in the header field.
The IP address next to that = source of spam

--
But these things can be spoofed too.

I can insert fake from's to make it look like my SMTP server was the middle of the stream instead of the originator of the stream.

True @ giltjr

Here is the header.
 
spam.txt

Message-ID: <LbIUndNXh0000e41f@SNT0-MC3-F14.Snt0.hotmail.com>
spam

most likely someone using hotmail for their relay

all of these headers can be spoofed.

They even have a x- header with spam assassin signature as clean.

------------------
Microsoft Mail Internet Headers Version 2.0

Received: from mail.spamserver.net ([x.x.x.x]) by exchange.myserver.com with Microsoft SMTPSVC(6.0.3790.4675);

Resent-To: info@exchange.myserver.com
Resent-From: info@myserver.com
Resent-Message-Id: <B0534444566@mail.spamserver.net>
Resent-Date: Fri, 10 Sep 2010 05:05:57 -0400

X-Modus-Audit: FALSE;0;0;0

Received: from mailin-1.spamserver.net (unverified [x.x.x.x]) by mail.spamserver.net (Vircom SMTPRS 5.0.916.0)
with ESMTP id <B0534444564@mail.spamserver.net> for <info@myserver.com>;

X-Modus-BlackList: x.x.x.x=OK;=OK
X-Modus-Trusted: x.x.x.x=NO
X-Modus-Audit: FALSE;0;0;0
Received: from snt0-omc4-s43.snt0.hotmail.com (snt0-omc4-s43.snt0.hotmail.com [65.54.51.94])
            by mailin-1.spamserver.net (Postfix) with ESMTP id 4E1EAC30356
            for <info@myserver.com>; Fri, 10 Sep 2010 05:00:36 -0400 (EDT)
Received: from SNT0-MC3-F14.Snt0.hotmail.com ([65.55.90.199]) by snt0-omc4-s43.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
             Fri, 10 Sep 2010 02:00:36 -0700
Message-ID: <LbIUndNXh0000e41f@SNT0-MC3-F14.Snt0.hotmail.com>
Subject: Delivery Status Notification (Failure)

X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0,
            required 7, autolearn=disabled, RCVD_IN_DNSWL_NONE -0.00)

Received: from smtp27.orange.fr ([80.12.242.96]) by SNT0-MC3-F14.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
             Fri, 10 Sep 2010 02:00:36 -0700
Received: from me-wanadoo.net (localhost [127.0.0.1])
            by mwinf2721.orange.fr (SMTP Server) with ESMTP id 22C8F1C00042;
            Fri, 10 Sep 2010 11:00:35 +0200 (CEST)
Received: from me-wanadoo.net (localhost [127.0.0.1])
            by mwinf2721.orange.fr (SMTP Server) with ESMTP id 14E071C00280;
            Fri, 10 Sep 2010 11:00:35 +0200 (CEST)
Received: from FILESERVER (LRouen-152-83-1-113.w80-13.abo.wanadoo.fr [80.13.64.113])
            by mwinf2721.orange.fr (SMTP Server) with SMTP id B2D3E1C00042;
            Fri, 10 Sep 2010 11:00:34 +0200 (CEST)

This is the header from the e-mail telling you it was rejected.

I have not record of sending the email.