By revealing all the headers you can see each hop the e-mail message made to get to from the originator to you.
Each time an e-mail makes a hop, from the sender to the recipient, it is stamped with the information of the relaying server. A typical e-mail will have two to five hops and each hop will be stamped Received: showing where the relaying mail server received the e-mail. The first Received hop, at the bottom of the list, is usually where the e-mail originated and each successive hop is added above the previous hop. Of course these hops can be spoofed, but that's usually not necessary for a spammer since they highjack people computers (details below).
Most ISPs (except for Google and a few others) will stamp the sender's original IP address on the first hop - even if the e-mail was sent using Web mail.
Here's a perfect example of a phising spammer's e-mail claiming to be sent from PayPal.
(click on image to enlarge - blue highlighted area shows the IP address of the highjacked computer - actual recipient's e-mail address redacted for privacy)
The e-mail should have originated on PayPal's network but, instead, it originated somewhere in Brazil (com.br). Here's the text from its first received header, where the message orginated:
Received: from 18912151104.user.veloxzone.com.br (18912151104.userveloxzone.com.br [184.108.40.206] (may be forged)) by mac.com (Xserve/smtpin36/MantshX 4.0) with SMTP id l5ND6ElW020957 for < @mac.com>; Sat, 23 Jun 2007 06:06:16 -0700 (PDT)
18912151104.user.veloxzone.com.br is clearly not PayPal.com.
Hard To Catch
It's hard to catch spammers because they highjack unsuspecting personal computers throughout the world. In virtually all cases, these are Windows computers which have been infected with viruses, worms, and spyware. Each highjacked computer is used to send out fake e-mails (spam) to thousands of people without their knowledge before or after the fact. Some of these fraudulent e-mails claim to be from legitimate companies - especially financial institutions such as PayPal and banks.
The purpose of most of these phishing e-mails is get the recipient to click on a link in the e-mail which looks like it'll take the user to their financial institution but, instead, it redirects the user to a Web site which looks exactly like the real thing. From there, a user will enter their account login and password and then click submit, which submits the user's login and password to the spammer's server. Once the spammer has a user's login and password, they can log into that user's real account and do what they please.