“From” Spoofing: How Spammers Send Email that Looks Like it Came from You

"From" spoofing is how spammers send email that looks like it comes from you that you had nothing at all to do with. I'll look at how its done.

//
OK, I know that spammers can send email spoofing the “From:” address to make it look like it came from me. But how? How do they gain access to my account to do that?

They don’t.

“From” spoofing means faking the “From:” address on an email to make it look like it came from you, and to do it, spammers don’t need access to your account at all.

In fact, I’d say that 99.99% of the time it has nothing at all to do with your account, and your account is quite safe.

They only need your email address.

While your email account and your email address are related, they are not necessarily the same thing.

Accounts versus Addresses

Let me say that again: your email address is one thing, and your email account is another.

  • Your email account is what you use to log in and gain access to the email you’ve received. In most cases, it’s also what you use to log in in order to be able to send email.
  • Your email address is the information that allows the email system to route messages to your inbox.

The two are related only to the extent that email routed to you using your email address is placed into the inbox accessed by your email account.

I have a more detailed article discussing the relationship here: What’s the Difference Between an Email Domain, an Email Account, and an Email Address?

To see how spammers get away with what they do, we start with a look at sending email.

Addresses, accounts and sending email

Let’s take a quick look at how you create an account in an email program like Microsoft Office’s Outlook.

Outlook Display Name, Email Address and Account Information

When you add a new mail account, you provide three key pieces of information.

  • “Your Name:” Called the “display name”, this is used as the name that will be displayed on the “From:” line in emails you send. Normally you would want this to be your own name, but in reality, it can be whatever you like.
  • “Email address:” This is used as the email address that will be displayed on the “From:” line in emails you send. Normally, you would want this to be your email address, but in reality, it can be whatever you like.
  • “User Name:” Along with the password, this identifies you to the mail service, grants you access to your mail box for incoming mail, and authorizes you to send email.

“From” Spoofing

To send email appearing to be from someone else, all you need to do is create an email account in your favorite email program, and use your own email account information while specifying someone else’s email address.

Outlook and Santa Claus

And that – or its equivalent – is exactly what spammers do.

Where’d they get my email address?

So you might be asking yourself if they didn’t compromise your account, where did they get your email address?

Everywhere spammers get email addresses. Public postings, emails forwarded by friends without removing your email address, less-than-reputible companies, some kinds of bulletin board postings and more.

Basically spammers get your email address from wherever they can. They just don’t need your account to do it.

Caveats

Before you try spoofing email from Santa Claus yourself, there are a few catches:

  • Your email program might not support it. For example, most web email services don’t have a way to specify a different email address to send from, or if they do, they first require you to confirm you can access email sent to that address. However, sometimes you can connect to those same services using a desktop email program, like Microsoft Office Outlook as I’ve shown above, and configure it to do so.
  • Your email service might not support it. Some ISPs check the “From:” address on outgoing email to make sure it hasn’t been spoofed. Unfortunately, with the proliferation of custom domains, this approach is falling out of favor. For example, I might want to use the email account I have with my ISP to send email “From:” my askleo.com email address. The ISP has no way to know whether that’s a legitimate thing, or whether I’m a spammer spoofing that “From:” line.
  • It’s probably not anonymous. Yes, you can set the “From:” field to whatever you like, but you should be aware that other email headers (which you don’t normally see) may still identify the account you used to log in when you sent the email. Even if it’s not in the actual email headers, your ISP may well have logs that indicate which account sent the email.
  • It might be illegal. Depending on who you try to impersonate, your intent and the laws in your jurisdiction, it’s very possible that misrepresenting yourself in email could run afoul of the law.

Spammers don’t care, and bypass all that. They use so-called “botnets” or “zombies”, which act more like full-fledged mail servers than mail clients (Microsoft Office Outlook, Thunderbird, and so on). They completely bypass the need to log in by attempting to deliver email directly to the recipient’s email server. It’s pretty close to being anonymous, as the spam is exceedingly difficult to trace back to its origin.

Get More Answers!

Each week I publish The Ask Leo! Newsletter where you can find more answers tips and tricks to make your technology "just work"!

Subscribe NOW and get a FREE copy of my special report "10 Reasons Your Computer is Slow (and what to do about it)".

This report will help you identify exactly why your computer is slowing down and the steps you can take to fix it.



My Privacy Pledge

The “From” spoofing take-away

There’s nothing special about the “From:” address. It’s just another field which, like the “To:” field, can be set to any value you like. By convention – and sometimes automatically – we set it to our own email address when we send mail, so that we get any responses. But there’s nothing that says it has to be that way.

And often there’s nothing that forces it to be that way.

Similarly, since it’s just a setting on outgoing email, seeing a particular “From:” address doesn’t imply any relationship to the actual account that would receive email that is sent to that address. Spammers don’t need access to the account to make it appear in a “From:” line – all they need to do is effectively to type it in the “From:” line. Nothing more.

That spam didn’t really come “From:” that address at all.

This is an update to an article originally posted : May 4, 2008
Play

Comments

  1. Ken B

    Think of the “from” line of an e-mail as nothing more than the return address on a snail-mail envelope. Nothing stops me from writing someone else’s name and address, and the mail will still go through.

  2. John Sinclair

    Presumably this means I should be careful about adding such spam emails to my spam filter’s list of spam addresses. I do occasionally send emails to myself, and I don’t want to block these.

  3. Alma van der Poel

    I get high importance mail from my self, stating “Delivery Status Notification (Failure)” the picture then advertise medicene and link takes me to Canadian Pharmacy. How do I prevent the spamers from doing it to me and how do I stop it?

  4. Michiibelle

    OK, so I completely understand that anyone can write anything in the “from” line, what I need to know is HOW do I block them when the from is my own address that they put in, and not theirs? I send myself emails all the time so I can print on another level of my home (to another imac) so I don’t want to block myself, What I’d like to know is HOW do I find their email? who it REALLY came from and block them and or track them down? I sooo wish I had a program to automatically extract the person’s address and spam them 1000 times over. Anyone write this yet?

    You can’t. That’s the whole point.

    Leo
    28-Sep-2009

  5. Kathleen

    Thank You, Leo! Your explanation was clear.
    People that are in MY address book are being sent these emails in batch mode/CC.

    Question:
    1. Without my password to my account, how do they get access to MY email address list? Some of these addresses are ancient, yet still good.
    It is especially annoying to find that these ‘addresses’ and the tag I gave them are being sent to multiple people. I always use BCC to avoid ‘giving out’ addresses, which I consider common courtesy, and hopefully avoids the violation of identity of sorts. I feel like a leper now!
    2. When can I hope for this to end? I’m deleting 70 or so notifications daily – in addition to knowing it’s still happening – someone is monitoring this for me.
    3. What Email software would you recommend? Or simply avoid HotMail?

    Please shorten as necessary.
    Thank you

    1) They can’t. It’s more likely that your account has been hacked and they have your password. Check this article: Someone’s sending email that looks like it’s from me to my contacts, what can I do? (Remember that you need to change much more than your password to regain/retain control.)

    2) You need to regain control of your account first. change your password and everything else.

    3) Email software is different from am email service. EMail software: I like Thunderbird. As for email services I avoid free, recommend those with customer service, but if you must go free: Gmail.

    Leo
    04-Sep-2010

  6. Giorgio

    In order to completely avoid spammers to send email that looks like you it requires a big improvement over the actual mail protocol.
    In Italy (the land of the spoofers) they came out with a new mail protocol called certified mail you can read more about it here:

    http://www.openpec.org/eng/index.shtml

    This new protocol does not allow spoofing anymore. Unfortunately it’s something that has been adopted only in Italy so far, and I wonder if anyone else in the world will ever feel the need for this. The protocol must be adopted on both sides to work.

    I’m actually working for a company that sells this so called certified mail: Poste-Certificate.it – PEC aziende It’s interesting, but very burocratic as everything here.

  7. Mike Castro

    Hi Leo, what you say is dead on. I get emails to my Spamfighter box all the time which are so called “returns” to me i.e. bounce backs, however I did not send them. As an experiment I set up a “spoof” account on my Thunderbird programme. I used a legit AOL account belonging to me and used a totally false name. I then sent myself an email and sure enough, I got the false name and my AOL email account. The only problem is the ones I get on my Thunderbird programme often end up in the Spamfighter box. Does this mean that my address is being blocked by Spamfighter ?

  8. Carlos R Coquet

    While on the subject of spammers, be very wary of sites offering to eMail something to some third party. You have no idea of what they are going to do with that eMail address. Even if the site does not sell these addresses to spammers, they may save the addresses and a spammer hacking into their site may get them. Another category of possible spammer farms is that of sending greeting cards. Your are virtually giving them your address book. What will they do with it?? THINK BEFORE YOU DO IT!!!

  9. prabhakar hamigi

    I went thr’ the article as i am one of the victims of this.I am really worried now as to how to stop this.One thing i noticed is that it sends mail only when i log on using my home wi fi.However ( as i gather from the answers) i try changing all the details in my account.

  10. Dave Hickman

    Hi,
    there is currently no way to stop “spoofing”. I have a custom domain name and the spoofer just prefixes my domain name with a random alpha-numeric string and churns out email. No check is ever made to see if this “spoof” address is valid, by that I mean is it a real account that I personally have created for my own use. Whilst this continues to be the case then we are all just victims. In this day and age the corrective measures are not technically challenging to implement but it seems that the technical will to do so isn’t there.

  11. David

    Leo, I recently had a fake email go to my banker in NY asking for a wire transfer. It had my Outlook signature at the bottom just like a real email from me and it also fake copied my director of finance. It went on to say my director would send wiring instructions. I am taking precautions up to and including reinstalling the operating system on all computers to insure any malware or key stroke program is gone but wondering if the hacker actually gained access to my emails in outlook or even worse, to my outlook contact list?

    any thoughts?

    • It could be as simple as having forged an email from some other computer with no access to your computer or account at all. But I’d certainly secure my account regardless.

  12. Alan M

    Nice article.
    Another thing they use is “me” in the sender’s address. Yahoo filters my e-mail and blocks them for me with the exception of PC Pitstop and Dave’s Computer tips. They were blocked as well till I allowed them through the first time.

    Thanks for caring……….Alan

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise in comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.

Your email address will not be published. Required fields are marked *