IP Addresses are the key to tracking down spammers. I receive thousands of spam emails a day, and while I certainly don't have the time to track the sender of every spam email, I do spend some time targeting the really bad ones. Here's a primer on how you can do that yourself.
Every computer on the internet is represented by a numerical address called an "IP Address". The IP address consits of four sets of numbers, each separated by a "dot". Here is an example: "18.104.22.168". The example happens to belong to a company in Brazil. Each set of numbers can range from 0 - 255, giving 256 combinations for each set, with a total of almost 4.3 billion combinations (that's quite a lot, isn't it?) for all four groups. A number of possible IP Addresses are reserved for local use on your own computer, so actually not all of the combinations are used on the internet.
When you receive an email, the IP Address of the originating computer will be contained within the email, in a section of it called the "headers". Most of the headers are hidden in most email applications. Normally, you only see the sender's name, email address, the date and time sent and the subject. However, most email applications will allow you to view the complete headers. Check your email application's help documentation to find out how to do it in your case.
More than likely, you will see a number of lines in the headers that start with the word "Received" followed by a colon (":"). These are what we are interested in. As an email moves from the sender to you, it passes through several servers. Each server will add its own line in the "Received" headers. The newer lines are at the top, so the last "Received" line is that of the original sender.
You'll see something like this:
What you should be interested in is the "10.71.84.44" part, which is the IP Address of the sender.
You can find an excellent tutorial for determining if Received headers are forged here.
It is possible to find out contact information for the company to which an IP address is assigned. You do this by querying a "Regional Internet Registry whois database". There are five whois databases you could possibly query, and all of them are free. They each cover a part of the world:
One question you might have is "how do I know which whois database to query?" That's a good question, considering that if you don't know where an IP address is located in the first place, then you don't know which continent/registry it will be listed under. The good news is that if you query the wrong database, you will be told which database to query.
A good way to automatically query the correct database is to use the DNSStuff.com DNS lookup service. The DNSStuff.com website is a great resource that allows you to make a number of different types of queries. The one you will most likely be interested in is the one in the middle column, third from the top, entitled "IPWHOIS Lookup". Input the IP address you are interested in, and the correct whois database will be queried.
The amount of contact information which is displayed will depend on the type of registration for the IP Address. Quite often all you will see is a company name followed by a bunch of numbers. The numbers represent a "block" of IPs which are assigned to that company. What this means is that the IP Address for which you searched lies within that block and is assigned to that company. You can click on the linked block to get more detailed contact information.
You've made it to the detailed contact information page and now have a name, address and possibly a telephone number and email address. Sometimes the whois contact information will be the end user, but mostly not. Chances are, the company is an Internet Service Provider (ISP). You could try contacting the ISP to get further information about the user of the IP Address, but you are unlikely to be successful.
Usually the listing will have an email address like "firstname.lastname@example.org" to which you can send spam complaints, etc. Unfortunately, that is really the only way to handle such things. You could also try contacting an attorney and sending a letter through them to the contact info address if an email notice doesn't work.
If you find the spam particularly aggregious, you could try contacting your local police authorities and make a complaint with them. Make sure to send them a copy of the spam emails you received, with the headers intact. The headers will be necessary to pin the email down to a particular user on the internet, and it is the only way to link an email with a particular sender. Although ISPs are usually reluctant to give a user's contact info to you as a person, they are much more likely to respond to a district attorney's subpoena.
If you are a United States resident, you could report the spam to the Federal Trade Commission (FTC) Bureau of Consumer Protection via their Consumer Complaint Form.