The dotted address to the right in brackets on each line is the numeric Internet address of the actual machine that sent the message.
The information to the left of the open parentheses is called the “HELO/EHLO string,” and an email server administrator can set this information to display whatever he wants: It could be set to bush[dot]whitehouse[dot]gov.
For several months I’ve been poking at a decent-sized spam botnet that appears to be used mainly for promoting adult dating sites.
Having hit a wall in my research, I decided it might be good to publish what I’ve unearthed so far to see if this dovetails with any other research out there.
After that, each address happily loaded a Web page displaying the number of bots connecting to each IP address at any given time.
Here’s the output of one controller that’s currently getting pinged by more than 12,000 systems configured to relay porn spam (the relevant part is the first bit on the second line below — “current activebots=”).
Back in October 2016 (when these spam messages were sent) the FQDN “minitanth.info-88[dot]top” resolved to a specific IP address: 184.108.40.206.
Once one has all of the name server names, one simply does yet more DNS lookups — one for each of the name server names — in order to get the corresponding IP address for each one.