and I'll illustrate with one of many "phish" spams I get.
First, find the originating ISP. You do that by doing whatever you have to do in your email program to see ALL the headers you got, like this:
Status: U
Return-Path: <
[email protected]>
Received: from Sender (<193.108.234.170>)
by aaron.mail.atl.earthlink.net (EarthLink SMTP Server) with SMTP id 1cDGtD4Nf3Nl3qa0
Sun, 12 Dec 2004 22:02:21 -0500 (EST)
Reply-To: <
[email protected]>
From: "Washington Mutual" <
[email protected]>
Subject: Important customer notification regarding Online Banking account
Date: Mon, 13 Dec 2004 05:02:23 +0200
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1081
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081
X-ELNK-AV: 0
Dear Washington Mutual customer,
We recently reviewed your account, and suspect that your Internet Banking account may have been accessed by an unauthorized third party.
Protecting the security of your account and of the Washington Mutual network is our primary concern. Therefore, as a preventative measure, we have temporarily limited access to sensitive account features.
<...>
Then, see that line: "Received: from Sender (<193.108.234.170>)"
That's were the thing really came from, and I betcha it's not Washington Mutual Bank.
So, you got to
http://www.iks-jena.de/cgi-bin/whois and don't worry about it being all in German-- it's one of the best lookup sites I've found.
Put the sender's number in the search box and the search will come up with the originator of the spam, amd it be in English. It will also usually show an "abuse" email. Forward the entire email to the "abuse" address and be SURE to include ALL headers.
In my case, the originator is Romanian, so they might care all that much, but many of them originate from here and western Europe. I have had good responses from many ISPs that don't want their clients doing this sort of thing. Most investigate, although they won't tell me what ultimately happened.
It's possible that a good hacker can even spoof that address, or just use them as a relay, but it's only the individual ISPs that have the means to track this stuff down. And, most of them hate it is much as we do, so they are motivated.
On edit-- there are Federal spooks who are looking into "phishing" but I have'nt bothered with them so far. I've been leaving it up to the ISPs to notify the Feds. I'm not sure they have, but I have only so much time to deal with this.