I decided to chatter about something in specific about email headers...
How to find the sender user's IP and a unique way to spoof your own:
1) First thing you need to know how how an email gets from your yahoo account to your friends hotmail account (an example).
You open your yahoo account and you start typing in your email. When you press "Submit" yahoo takes your email and slaps a "Recieved: " entry in there. It says when the email was recieved by yahoo and from what IP it originated and so on. So that recieved is the first recieved entry stuck onto the top of your email and headers and all.
Then yahoo resolves hotmail.com and says "alrighty, I need to send this to mx01.hotmail.com". Then it connects to that server and passes the email on.
Now mx01.hotmail.com recieved the email and slaps another Recieved: entry onto the TOP of the email. Again, it includes the IP address of yahoo's mail server and the time it recieved it. It will also include what yahoo's server announced themself to be via the HELO or EHLO commands.
And that's the gist of it. there may be many recieved entries cause the mail servers may bounce it around a few times before it actually gets to ya. But ALWAYS there is at LEAST 1 recieved entry in the headers. The original being the last recieved entry (since all following recieved entries are prepended to the top.
The way that you can find out where an email comes from is via the "Recieved: " header entries.
2) Now you know how email is sent, and how it is recieved. more importantly, you know where the original IP address can be found. Now it is time to consider this unique spoofing technique that I've figured out.
Spoof recieved entries! As the reciever, you look at the last recieved entry for the origin IP right? Well, when composing the RAW email - add a few convincing looking recieved entries as if the email has bounced around a few times. Then send it directly (or not - it doesn't matter) to the reciever's mail server. Make sure that you use the HELO (or EHLO) command with a satisfactorily spoofed hostname.
Now unless the reciever attempts to resolve every IP in the headers and look for incorrect IP/host matches - they'll never know which recieved is the REAL original IP. And typically, they'll think it's the last (spoofed) entry.