If you look at the detail of headers there are various 'IDs' such as
[tt]
---------------------------------------
Return-Path: <notifyme@tecumsehgroup.com>
Received: from mailgate2.sover.net (mailgate2.sover.net [209.198.87.64])
by mailhub1.sover.net (8.11.6/8.11.6) with ESMTP id g8ICtOh27256
. . .
18 Sep 2002 08:55:25 -0400 (EDT)
Received: from mail.tecumsehgroup.com (mail.tecumsehgroup.com [216.45.19.20])
by mailgate2.sover.net (8.11.6/8.11.6) with ESMTP id g8ICtNV24624
. . .
Message-Id: <200209181255.g8ICtNV24624
[/tt]
-----------------------------------------
These can be used to trace the casual 'spoofer'.
How easy is it to do? Very easy.
e.g. Eudora "automation" If I make a file, spoof.msg
--------------------------------------------
[tt]
To: someone@somwhere.net
From: aUmana@Tek_Tips.com
Subject: Spoof Sample
How are you doing today? Attached is your Klez.
[/tt]
--------------------------------------------
And then ran Eudora with the Sppof.msg as a parameter, it would be placed in the Eudora outbox, not with my name as 'From', but yours, or anyone else I wished to assign it to.
"From: Santa@NorthPole.Com" is good for kids at certain times of the year.
Spoofing is very simple to do but it is not untraceable, to the best of my knowledge, as with the IDs and enough prowling through logs one can find out the actual originating dial-in or workstation/user.
-------------------------------------------
Finally, regarding e.conversations, copies of Emails are not 'generally' stored at ISPs, that would be a privacy violation.
In that case there is no way that I know of to prove content of a message from copies.
Messages generally are stored in corporate environments as they belong to the company, in the US at least.
9/11 may have changed that considerably, many more are likely being stored in various places but that probably will not help someone who claims they never sent a message.
"Hello, NSA? Would you please send me a copy of that message I sent to Mary Lambkins at 3:00 this afternoon to prove it was not harassing?"
I don't think so.
Many environments do not have the time, inclination or sometimes knowledge and skill to trace an Email source, so your claim lf "I never sent that." is likely to fall on deaf ears.
If you suspect a person is stealing your email identity it would be a very good idea to start using digital signatures, at least.