Remember that the first headers are created by the SENDING computer. Email clients and spammers have absolute control over the headers they place in them.
Most mailservers will append additional headers when they forward the message. Some will add a spamassassin score or an identifier for example, and most add information about the client that delivered the message to them.
Since most normal email passes through several mail gateways and servers en route to you, you can usually look at the full headers to follow its path to you. But I've seen at least a few cases of where the spammer tried to make that difficult by adding path-like headers in the message before sending it into the system. Since it can be difficult to determine where the actual mailserver provided headers start, you have to read them very carefully and determine at what point up the chain to stop trusting them. Client provided headers that are attempting to look like mailserver routing headers are usually referred to as "forged headers".
It's becoming common for spammers and virus writers to add forged spamassasin/avg scanned/passed headers in an attempt to fool downstream mailservers and recipients. (mailservers often will skip rescanning a message if it claims to have already been scanned)
