Sometimes you need to check to see where a message really came from. The 'From:' email address is easily forged, so that cannot be relied upon.

The first thing you have to do is to get the full message headers. These may look daunting, but are very useful for problem diagnosis.

The most important headers are those beginning with Received. Each mail server which handles the message will add its own Received trace header to the start of the message. So, to see the passage of the message through time you have to find the lowest Received line in the headers, and work upwards.

If the message came from your local VPOP3 and you use SMTP authentication, you can also check the X-Authenticated-Sender header line, which shows which user logged in to send the message. (Note that if the passwords are weak, someone may have guessed their password and be using their account without their knowledge)