Ok.... The situation:

I am helping a friend try to determine the perpetrator of some fairly heavy duty harrassment of her family's company. The harrassment goes as far as emailing the payroll files of the company to every employee - that's why I call it "heavy duty".

The suspicion was that it was a terminated employee but I am beginning to have second thoughts about that. The perpetrator has used different "free" email addresses from Yahoo, Hotmail and Netscape so the impression I had was that they weren't entirely stupid.

I got my hands on a couple of email headers sent from the Netscape address which indicate that the AOL system was used, (Netscape = AOL). There is a header line that reads:-

X-AOL-IP: XXX.XXX.XXX.XXX

I have searched around and can find no definitive answer as to what this is. My guess is that it is the IP address that sent the mail originally but the questions I have are:-

1. Does this mean that the original account is an AOL account, (Dial in to AOL - go to Netscape and send the message), or is this just any address on the net that the email was received from regardless of who the ISP is.
2. Can this be forged easily or even with difficulty, (i don't mean use a proxy I mean forged)?

The reason I need to know this is because one of the two addresses is in California and the other is in Jordan..... Yet the suspicion is that the perpetrator _has_ to be in Pennsylvania since some of the files being emailed are unavailable online and a scan of the website indicates a fairly well protected server.