It is an article of faith for many people that most spam involves header forgery, but no one seems to have better support than intuition for that faith.
This comment prompted me to do a little experimentation. I keep all my spam (except that large ones that I don't bother to download), mostly unread.
It's not scientific, or very statistically significant, but I examined the last 20 spam mails I received, and note that:
(a) 3 appear to have been received at my ISP with forged or inconsistent SMTP envelope information.
(b) 7 have significant inconsistencies between email headers and received-from trace to make me believe that they are probably forged headers.
(c) 5 have email header information that may or may not be forged -- I couldn't see enough evidence to make an assessment either way
(d) 5 have email headers that I believe to be genuine. Of these, 3 come from what I presume to be throw-away accounts at AOL or hotmail.
My assessments were made initially by comparing the from address with the received trace, and making a judgement (not always scientifically) about the relationship between the addresses offered. In some cases, I also looked to the message content and check to see if the source address is DNS-resolvable and/or reachable. Of the "definitely-forged" headers, three used domain names that are operated by my own ISP, and I'm pretty sure are not customers of same.
The 20 messages I examined appeared to be broadly typical of the style of spam I generally receive.
This little experiment suggests to me that header forgery is a significant factor in spam -- I estimate about 50% of the sample I examined.
And one other data point: in looking at my spam, I discovered two messages that were not strictly spam, because I had signed up for communications in the past, but which had been swept into my spam-box in the general clear-out. I don't currently use automatic filtering, but simply move unrecognized messages onopened into the spam box. The point of this is that legitimate email marketing is suffering by failing to be sufficiently distinct from the unsolicited spam.
I don't claim all this proves anything, but I think I have cause to believe forgery of email headers is involved in a significant portion of the spam I receive.
#g
------------------- Graham Klyne <GK@NineByNine.org> PGP: 0FAA 69FF C083 000B A2E9 A131 01B9 1C7A DBCA CB5E