An e-mail header is more than "From:" , "To:", "Date:" and "Subject".
A complete e-mail header may indicate where a message comes from physically (though this can be faked or "spoofed").
This is not the same thing as the name of the e-mail provider.
You can sign up for a webmail account with Yahoo Canada, or Rediffmail (an Indian mail provider) or any mail provider in the world, no matter where you are physically. Yahoo or Rediffmail will handle the mail; but they are not where the message starts out. Someone has to provide the actual connection to the internet before the scammer can even see the Yahoo or Rediffmail web page. This connection to the internet could be a cybercafe in Lagos, or Amsterdam, or anywhere.
Normally your e-mail reader (which may be a included in a web browser, or may be a stand-alone specialized program such as Eudora, Entourage or Apple Mail) will not show you the headers. It's messy stuff (see below).
You can make them show up more or less easily, depending on the program. It could be a matter of toggling an icon, or clicking a preference, or setting a (perhaps deeply nested) menu option. Investigate your settings, or consult your ISP.
>Received: from web21309.mail.yahoo.com ([188.8.131.52]) by >arts3.arts.state.tx.us with SMTP (Microsoft Exchange Internet Mail Service >Version 5.5.2650.21) > id CRR9DYQV; Wed, 6 Feb 2002 05:43:03 -0600 >Received: from [184.108.40.206] by web21309.mail.yahoo.com via HTTP; Wed, 06 >Feb 2002 03:43:03 PST >Message-ID: <email@example.com> >Date: Wed, 6 Feb 2002 03:43:03 -0800 (PST) >From: ibunor onanefe
220.127.116.11 (the number in [brackets] is possibly the originating ip address. You can then query ARIN ( www.arin.net ) or, more likely, RIPE ( www.ripe.net ) or AFRINIC ( www.afrinic.net ) directories for North American and European-African addresses, respectively. (South African IP addresses are often found in ARIN, though.)
The result in this case:
inetnum: 18.104.22.168 - 22.214.171.124 netname: PRODIGY-01 descr: Prodigy International descr: Nigeria country: NG admin-c: LCM2-RIPE tech-c: TO32-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-HM-PI-MNT mnt-by: AS12491-MNT mnt-lower: RIPE-NCC-HM-PI-MNT mnt-routes: AS12491-MNT notify: firstname.lastname@example.org changed: email@example.com 20011106 source: RIPE person: Larry Chidi-Maha address: Prodigy International address: 8 Oduduwa Way address: Gra, Ikeja address: Lagos, Nigeria phone: +234 4939653 fax-no: +234 4939654 e-mail: firstname.lastname@example.org nic-hdl: LCM2-RIPE notify: email@example.com changed: firstname.lastname@example.org 20011024 source: RIPE person: Tony Olisamah address: Prodigy International address: 8 Oduduwa Way address: Gra, Ikeja address: Lagos, Nigeria phone: +234 4939653 fax-no: +234 4939654 e-mail: email@example.com nic-hdl: TO32-RIPE notify: firstname.lastname@example.org changed: email@example.com 20011127 source: RIPE
The ISP is not necessarily promoting a scam. ISPs are exploited all the time. Someone can walk into a cybercafe, send off a barrage of spam, and walk out. In some parts of the world, cybercafes are inundated with scammers. This may or may not be the fault of the cybercafe operator.
Scams and spams eat up their time and presumably profits.