You need to enable headers in whatever email software you're using (or in whichever web based service you're using). The headers will look something like this :
Received: from [188.8.131.52] (helo=kygeek.org)
by neptune.dnsprotect.com with smtp (Exim 4.24)
Received: (qmail 26108 invoked from network); 13 Dec 2003 21:52:17 -0000
Received: from localhost (HELO mail.thelocust.org) (127.0.0.1)
by localhost with SMTP; 13 Dec 2003 21:52:17 -0000
Received: from 184.108.40.206
(SquirrelMail authenticated user email@example.com)
by xxxl.xxxlocust.org with HTTP;
Sat, 13 Dec 2003 16:52:17 -0500 (EST)
Look at the last "Recieved" header, (last as in the bottom most one), that will tell you the IP address of the person who sent it. In this case, it is from 220.127.116.11. Now that you have this IP, you can do a whois lookup to see who owns this IP. If it is an ISP, you email them and tell them the IP as well as the time noted above (the time is shown with offset from GMT). Then they can tell you which user had that IP address at that particular time. They don't necessarily have to cooperate with you though.
If the emails are threatening, you could consider getting the police involved, they will make sure the ISP's hand over the logs. In some countries, not keeping logs can be considered a crime.
If you post the headers to this forum, I'll help you read them.
Hey inde, i'm fine, been a bit busy,
Where you find the email headers depends on what email client you're using.. if you use Outlook Express you right click on the message, then click properties, then 'details'..
If you use webmail such as yahoo or hotmail, then go to your preferences and one of the options is to view the full headers, I usually just leave it on as it can be quite informative.. for example a cousin of mine was mailing me from his university computer lab, and when i looked at the headers I saw the lab server name so I visited it and saw the homepage of their batch with the projects they were working on. He hadn't shown me the website yet and was surprised that I'd found it.
Yep, it is usually fairly simple.. just read the last 'Recieved from:' line.. however if the person used a proxy or something similar then it may be a little bit more involved, but once you get the hang of it its really simple.