Annoying you in the process.
by Leo A. Notenboom
"From" spoofing is how spammers send email that looks like it comes from you that you had nothing at all to do with. I'll look at how it's done.
OK, I know that spammers can send email spoofing the “From:” address to make it look like it came from me. But how? How do they gain access to my account to do that? Have I been hacked?
No. You have not been hacked.
“From” spoofing means faking the “From:” address on an email to make it look like it came from you. To do it, spammers don’t need access to your account at all. I’d say that 99.99% of the time it has nothing at all to do with your account, which is quite safe.
They only need your email address.
While your email account and your emailaddress are related, they are not the same thing.
There are several ways a spammer can impersonate your email address and use it in the “From:” line of the email they send. All they need to do is craft an email with your email address listed as the sender and send it. It really is that simple. Your account need not be involved in any way.
Accounts versus addresses
Let me say that again: your email address is one thing, andyour email account is another.
- Your email account is what you use to log in andgain access to the email you’ve received. In most cases, it’s also what youuse to log in in order to be able to send email.
- Your email address is the information that allows the email system to route messages to your inbox. It’s what you give other people, like I might give you firstname.lastname@example.org.
The two are related only to the extent that email routed to youusing your email address is placed into the inbox accessed by youremail account.
I have a more detailedarticle discussing the relationship here:What’s the Difference Between an Email Domain, an Email Account, and an Email Address?
To see how spammers get away with “From” spoofing, let’s look at sending email.
Addresses, accounts, and sending email
Let’s take a quick look at how you create an account in an email program, like the email program that comes with Windows 10. Using “Advanced Setup” for “Internet email”1, we get a dialog asking for a variety of information.
I’ll focus on three key pieces of information you provide.
- Email address — This is the email address that will be displayed on the “From:” line in emails you send. Normally, you would want this to be your email address, but in reality, you can type in whatever you like.
- User name — This, with the Password below it, is what identifies you to the mail service, grants you access to your mailbox for incoming mail, and authorizes you to send email.2
- Send your messages using this name — Called the “display name”, this is the name that will be displayed on the “From:” line in emails you send. Normally you would want this to be your own name, but in reality, you can type in whatever you like.
Very often, email programs display email addresses using both the display name and email address, with the email address in angle brackets:
From: Display name <email address>
This is used when most email programs create your email, and that’s what you’ll then see in the “From:” line.
To send email appearing to be from someone else,all you need to do is create an email account in your favorite emailprogram, and use your own email account information whilespecifying someone else’s email address and name.
Looking at those same three bits of information:
- Email address — As we said above, it can be whatever you like. In this case, email sent from this account will look like it’s “From:” email@example.com.
- User name — This, with the Password below it, is what identifies you to the mail service, grants you access to your mailbox for incoming mail, and authorizes you to send email. This hasn’t changed.
- Send your messages using this name — Again, this can be whatever you like. In this case, email from this account will appear to come “From:” Santa Claus.
Email sent using this configuration would have a spoofed “From:” address:
From: Santa Claus <firstname.lastname@example.org>
And that — or its equivalent — is exactly what spammers do.
Before you try spoofing email from Santa Claus yourself, there are a fewcatches:
- Your email program might not support it. For example, most web-based email services don’t have a way to specify a different email address to send from, or if they do, they require you to confirm you can access email sent to that address first. However, sometimes you can connect to those same services using a desktop email program, like Microsoft Office Outlook, as I’ve shown above, and configure it to do so.
- Your email service might not support it. Some ISPs check the “From:”address on outgoing email to make sure it hasn’t been spoofed.Unfortunately, with the proliferation of custom domains, this approach isfalling out of favor. For example, I might want to use the emailaccount I have with my ISP to send email “From:” myaskleo.com email address. The ISP has no way toknow whether that’s a legitimate thing, or whether I’m a spammerspoofing that “From:” line.
- It’s probably not anonymous. Yes, you can set the “From:”field to whatever you like, but you should be aware that other emailheaders (whichyou don’t normally see) may still identify theaccount you used to log in when you sent the email.Even if it’s not in the actual email headers, your ISP may well have logs that indicate which account sent the email.
- It might be illegal. Depending on who you try to impersonate, your intent, and the laws in your jurisdiction, it’s possible that misrepresenting yourself in email could run afoul of the law.
Spammers don’t care. They use so-called “botnets” or “zombies” that act more like full-fledged mail serversthanmail clients (Microsoft Office Outlook, Thunderbird, and so on). They completely bypass the need to log in by attempting to deliver email directly to the recipient’s email server. It’s pretty close to anonymous as spam is exceedingly difficult to trace back to its origin.
Where’d they get my email address?
So you might be asking yourself: if they didn’t compromise your account, where did they get your email address?
Spammers get email addresses everywhere. Data breaches, public postings, emails forwarded by friends without removing your email address, less-than-reputable companies, some kinds of bulletin board postings, and more.
Basically, spammers get your email address from wherever they can but they don’t need access to your account to do it.
Spam might seem overwhelming at times. Here’s how to deal with it: How Do I Get Rid of All this Spam?!?!?
The “From:” spoofing takeaway
There’s nothing special about the “From:” address. It’s just another field which, like the “To:” field, can be set to any value you like. By convention — and sometimes automatically — we set it to our own email address when we send mail, so we get any replies. But there’s nothing that says it has to be that way.
And there’s nothing that forces it to be that way.
Similarly, since it’s just a setting on outgoing email, seeing a particular “From:” address doesn’t imply any relationship to the actual account that would receive email sent to that address. Spammers don’t need access to the account to make it appear in a “From:” line; all they need to do is type it in the account settings. Nothing more.
That spam didn’t really come from that address at all.
How do spammers get my email contacts?
Most commonly spammers don’t get your email contacts at all. They simply send enough spam that at some point one or more of your contacts may get spam that is forged to look like it came from you. Occasionally spammers do hack email accounts and collect the contact list, but that’s not as common these days. More common are email addresses and relationships exposed publicly on social media sites and other services where it’s easy to see who your contacts might be by who it is you interact with the most.
How did my email get spoofed?
As a general rule, your email might be spoofed for no reason other than the spammer having a database containing both your email address and name. That’s all they need to make an email look like it came from you.
Can spammers tell if you open an email?
Spammers can tell if you open an email only if you allow images to be viewed in the email, download an attachment included with the email, click a link within the email, or reply to the email. Best practice for spam prevention and personal security is, of course, to do none of those things unless you know the email is legitimate.
Will spam emails eventually stop?
Spam emails will likely never stop. All proposed solutions have issues, the largest being that all email providers need to agree on which solution to adopt. Rather than getting upset about the existence of spam, you’re generally better served by using a good spam filter, and training it to recognize spam arriving in your account. That way spam will continue to arrive, but will be diverted into your spam folder rather than your inbox.
Can someone use my email address without me knowing it?
Anyone can use your email address without you knowing about it. Spammers do it all the time when they forge the “From:” addresses in email. In reality, you might eventually hear about it because of a reply to that forged email, or some other action taken by the recipient, but there’s no requirement and no guarantee. Your email address is probably being used right now in some faked spam message.
Is just opening a spam email dangerous?
In general as long as your email program is configured properly opening a spam message is not dangerous. A proper configuration means that images are not displayed by default, that “return receipt” requests are ignored, and that executable programs included in the body of the message are ignored. It’s also important that you not click on any of the links contained in spam, and do not open any attachment included with spam.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Download (right-click, Save-As) (Duration: 8:17 — 3.9MB)
Footnotes & References
1: As opposed to specifying a specific provider — like Outlook.com, Gmail or others — from the start. When you specify one of those pre-defined providers, the Mail program already knows most of the settings it needs and doesn’t ask you for them. By configuring a generic “Internet email” account, the Mail program makes no assumptions and asks for all the information it needs.
“From” spoofing means faking the “From:” address on an email to make it look like it came from you, and to do it, spammers don't need access to your account at all. In fact, I'd say that 99.99% of the time it has nothing at all to do with your account, and your account is quite safe. They only need your email address.How spammers send email that looks like it came from you? ›
It's called email spoofing and it can make the job of spotting scams more difficult. Email spoofing is a form of impersonation where a scammer creates an email message with a forged sender address in hopes of deceiving the recipient into thinking the email originated from someone other than the actual source.What does a spoofed email look like? ›
Display name spoofing
With this type of email spoofing, the email address itself will not match the display name attached to the email. For example, you may get an email that says it is coming from your boss, but after opening the message, you notice that the sender's email address does not match your boss's.
Someone has the email addresses of your contacts and is spoofing messages that look like they're coming from you. They may have current or previous access to your account or have compiled the addresses from an email you've sent in the past.Why do my emails look like they are coming from me? ›
Email spoofing is when the sender of an email, typically spam, forges (spoofs) the email header "From" address, so the email being sent appears to have been sent from a legitimate email address that is not the spammer's address.Can someone send an email pretending to be you? ›
Email Display Name Spoofing is an email scam perpetrated by fraudsters who use someone's real name (known to the recipient) as the display name for their emails. This is done by registering a valid email account with an email address different but the display name the same as the contact they want to impersonate.What happens if I reply to a spoof email? ›
PhishLabs warns that replying to a phishing email, even if you know it's a scam, can lead to further attacks. Most phishing campaigns are automated and replying to them puts you on a scammer's radar.Can a spoofed email be traced? ›
If a spoofed email does not appear to be suspicious to users, it likely will go undetected. However, if users do sense something is wrong, they can open and inspect the email source code. Here, the recipients can find the originating IP address of the email and trace it back to the real sender.What happens if you open a spoofed email? ›
Just opening the phishing message without taking any further action will not compromise your data. However, hackers can still gather some data about you, even if all you did was open the email. They will use this data against you to create more targeted cyber attacks in the future.Can an email be sent to an email that doesn't exist? ›
If you send an email to an address that doesn't exist, you will get an error message from the recipient server to your inbox. If you mail to multiple non-existent email addresses, you are at risk of being blocked by your email service or blacklisted by the recipient email provider.
The from address doesn't have to exist but note that if the sender's domain doesn't exist the message is far more likely to be flagged as spam.How do spoofers get your contacts? ›
Many smartphone apps, websites, and cloud services request access to your contact list when you sign up. If you grant access to a malicious app, or a legitimate app gets hacked or breached, spoofers can access all of the numbers in your contact list. A company that has access to your contact list was hacked.How do you know if you are spoofed? ›
If you get calls from people saying your number is showing up on their caller ID, it's likely that your number has been spoofed. We suggest first that you do not answer any calls from unknown numbers, but if you do, explain that your telephone number is being spoofed and that you did not actually make any calls.How easy is email spoofing? ›
Email spoofing is a threat that involves sending email messages with a fake sender address. Email protocols cannot, on their own, authenticate the source of an email. Therefore, it is relatively easy for a spammer or other malicious actors to change the metadata of an email.Should I worry about a sextortion email? ›
It can be worrying when you first receive a sextortion email, but please follow the appropriate steps to ignore them, and do not send money or bitcoin to the 'professional hackers'. However, there may be personal circumstances where sextortion can be real.Why do spam emails look so fake? ›
However, the reason why phishing emails have so many typos is simple—they're intentional and are included by design. The scammer's goal is to send phishing emails to a very gullible, innocent victim. If they have typos, they're essentially weeding out recipients too smart to fall for the scam.Can someone clone your email? ›
However, if they do, these clone emails become much more difficult to spot because they look just like the original. The scammer creates a replica of the email. These phishing scams typically involve clone phishing emails, but not always. Sometimes, attackers clone social media accounts or websites instead.