Re: Am i being thick...
Perhaps the IP used for the email (and visible in the headers) was traceable (via the ISP) to a router/hub/access point that kept a record of sessions - e.g. commercial Cisco wifi APs will keep records for each device containing MAC address, authentication method, #packets/bytes shipped in each direction, start time and duration (pinch of salt on that one as there's no explicit disconnect in wifi), so all they need to do is get a judge to sign off on a legal "search" of the router to get the logs from it, which are available through a standard API with the appropriate credentials (which no doubt the operator holds).
