Annoying you in the process.
by Leo A. Notenboom
"From" spoofing is how spammers send email that looks like it comes from you that you had nothing at all to do with. I'll look at how it's done.
OK, I know that spammers can send email spoofing the “From:” address to make it look like it came from me. But how? How do they gain access to my account to do that? Have I been hacked?
No. You have not been hacked.
“From” spoofing means faking the “From:” address on an email to make it look like it came from you. To do it, spammers don’t need access to your account at all. I’d say that 99.99% of the time it has nothing at all to do with your account, which is quite safe.
They only need your email address.
While your email account and your emailaddress are related, they are not the same thing.
There are several ways a spammer can impersonate your email address and use it in the “From:” line of the email they send. All they need to do is craft an email with your email address listed as the sender and send it. It really is that simple. Your account need not be involved in any way.
Accounts versus addresses
Let me say that again: your email address is one thing, andyour email account is another.
- Your email account is what you use to log in andgain access to the email you’ve received. In most cases, it’s also what youuse to log in in order to be able to send email.
- Your email address is the information that allows the email system to route messages to your inbox. It’s what you give other people, like I might give you leo@askleo.com.
The two are related only to the extent that email routed to youusing your email address is placed into the inbox accessed by youremail account.
I have a more detailedarticle discussing the relationship here:What’s the Difference Between an Email Domain, an Email Account, and an Email Address?
To see how spammers get away with “From” spoofing, let’s look at sending email.
Addresses, accounts, and sending email
Let’s take a quick look at how you create an account in an email program, like the email program that comes with Windows 10. Using “Advanced Setup” for “Internet email”1, we get a dialog asking for a variety of information.
I’ll focus on three key pieces of information you provide.
- Email address — This is the email address that will be displayed on the “From:” line in emails you send. Normally, you would want this to be your email address, but in reality, you can type in whatever you like.
- User name — This, with the Password below it, is what identifies you to the mail service, grants you access to your mailbox for incoming mail, and authorizes you to send email.2
- Send your messages using this name — Called the “display name”, this is the name that will be displayed on the “From:” line in emails you send. Normally you would want this to be your own name, but in reality, you can type in whatever you like.
Very often, email programs display email addresses using both the display name and email address, with the email address in angle brackets:
From: Display name <email address>
This is used when most email programs create your email, and that’s what you’ll then see in the “From:” line.
“From” Spoofing
To send email appearing to be from someone else,all you need to do is create an email account in your favorite emailprogram, and use your own email account information whilespecifying someone else’s email address and name.
Looking at those same three bits of information:
- Email address — As we said above, it can be whatever you like. In this case, email sent from this account will look like it’s “From:” santaclaus@northpole.com.
- User name — This, with the Password below it, is what identifies you to the mail service, grants you access to your mailbox for incoming mail, and authorizes you to send email. This hasn’t changed.
- Send your messages using this name — Again, this can be whatever you like. In this case, email from this account will appear to come “From:” Santa Claus.
Email sent using this configuration would have a spoofed “From:” address:
From: Santa Claus <santaclaus@northpole.com>
And that — or its equivalent — is exactly what spammers do.
Caveats
Before you try spoofing email from Santa Claus yourself, there are a fewcatches:
- Your email program might not support it. For example, most web-based email services don’t have a way to specify a different email address to send from, or if they do, they require you to confirm you can access email sent to that address first. However, sometimes you can connect to those same services using a desktop email program, like Microsoft Office Outlook, as I’ve shown above, and configure it to do so.
- Your email service might not support it. Some ISPs check the “From:”address on outgoing email to make sure it hasn’t been spoofed.Unfortunately, with the proliferation of custom domains, this approach isfalling out of favor. For example, I might want to use the emailaccount I have with my ISP to send email “From:” myaskleo.com email address. The ISP has no way toknow whether that’s a legitimate thing, or whether I’m a spammerspoofing that “From:” line.
- It’s probably not anonymous. Yes, you can set the “From:”field to whatever you like, but you should be aware that other emailheaders (whichyou don’t normally see) may still identify theaccount you used to log in when you sent the email.Even if it’s not in the actual email headers, your ISP may well have logs that indicate which account sent the email.
- It might be illegal. Depending on who you try to impersonate, your intent, and the laws in your jurisdiction, it’s possible that misrepresenting yourself in email could run afoul of the law.
Spammers don’t care. They use so-called “botnets” or “zombies” that act more like full-fledged mail serversthanmail clients (Microsoft Office Outlook, Thunderbird, and so on). They completely bypass the need to log in by attempting to deliver email directly to the recipient’s email server. It’s pretty close to anonymous as spam is exceedingly difficult to trace back to its origin.
Where’d they get my email address?
So you might be asking yourself: if they didn’t compromise your account, where did they get your email address?
Spammers get email addresses everywhere. Data breaches, public postings, emails forwarded by friends without removing your email address, less-than-reputable companies, some kinds of bulletin board postings, and more.
Basically, spammers get your email address from wherever they can but they don’t need access to your account to do it.
Related
Spam might seem overwhelming at times. Here’s how to deal with it: How Do I Get Rid of All this Spam?!?!?
The “From:” spoofing takeaway
There’s nothing special about the “From:” address. It’s just another field which, like the “To:” field, can be set to any value you like. By convention — and sometimes automatically — we set it to our own email address when we send mail, so we get any replies. But there’s nothing that says it has to be that way.
And there’s nothing that forces it to be that way.
Similarly, since it’s just a setting on outgoing email, seeing a particular “From:” address doesn’t imply any relationship to the actual account that would receive email sent to that address. Spammers don’t need access to the account to make it appear in a “From:” line; all they need to do is type it in the account settings. Nothing more.
That spam didn’t really come from that address at all.
Related questions
How do spammers get my email contacts?
Most commonly spammers don’t get your email contacts at all. They simply send enough spam that at some point one or more of your contacts may get spam that is forged to look like it came from you. Occasionally spammers do hack email accounts and collect the contact list, but that’s not as common these days. More common are email addresses and relationships exposed publicly on social media sites and other services where it’s easy to see who your contacts might be by who it is you interact with the most.
How did my email get spoofed?
As a general rule, your email might be spoofed for no reason other than the spammer having a database containing both your email address and name. That’s all they need to make an email look like it came from you.
Can spammers tell if you open an email?
Spammers can tell if you open an email only if you allow images to be viewed in the email, download an attachment included with the email, click a link within the email, or reply to the email. Best practice for spam prevention and personal security is, of course, to do none of those things unless you know the email is legitimate.
Will spam emails eventually stop?
Spam emails will likely never stop. All proposed solutions have issues, the largest being that all email providers need to agree on which solution to adopt. Rather than getting upset about the existence of spam, you’re generally better served by using a good spam filter, and training it to recognize spam arriving in your account. That way spam will continue to arrive, but will be diverted into your spam folder rather than your inbox.
Can someone use my email address without me knowing it?
Anyone can use your email address without you knowing about it. Spammers do it all the time when they forge the “From:” addresses in email. In reality, you might eventually hear about it because of a reply to that forged email, or some other action taken by the recipient, but there’s no requirement and no guarantee. Your email address is probably being used right now in some faked spam message.
Is just opening a spam email dangerous?
In general as long as your email program is configured properly opening a spam message is not dangerous. A proper configuration means that images are not displayed by default, that “return receipt” requests are ignored, and that executable programs included in the body of the message are ignored. It’s also important that you not click on any of the links contained in spam, and do not open any attachment included with spam.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Footnotes & References
1: As opposed to specifying a specific provider — like Outlook.com, Gmail or others — from the start. When you specify one of those pre-defined providers, the Mail program already knows most of the settings it needs and doesn’t ask you for them. By configuring a generic “Internet email” account, the Mail program makes no assumptions and asks for all the information it needs.
2: One point of confusion I’m side-stepping is that email addresses are often used as usernames. They are still two distinct things.