“From” spoofing means faking the “From:” address on an email to make it look like it came from you, and to do it, spammers don’t need access to your account at all.
In fact, I’d say that 99.99% of the time it has nothing at all to do with your account, and your account is quite safe.
They only need your email address.
While your email account and your email address are related, they are not necessarily the same thing.
Accounts versus Addresses
Let me say that again: your email address is one thing, and your email account is another.
The two are related only to the extent that email routed to you using your email address is placed into the inbox accessed by your email account.
I have a more detailed article discussing the relationship here: What’s the Difference Between an Email Domain, an Email Account, and an Email Address?
To see how spammers get away with what they do, we start with a look at sending email.
Addresses, accounts and sending email
Let’s take a quick look at how you create an account in an email program like Microsoft Office’s Outlook.
When you add a new mail account, you provide three key pieces of information.
- “Your Name:” Called the “display name”, this is used as the name that will be displayed on the “From:” line in emails you send. Normally you would want this to be your own name, but in reality, it can be whatever you like.
- “Email address:” This is used as the email address that will be displayed on the “From:” line in emails you send. Normally, you would want this to be your email address, but in reality, it can be whatever you like.
- “User Name:” Along with the password, this identifies you to the mail service, grants you access to your mail box for incoming mail, and authorizes you to send email.
To send email appearing to be from someone else, all you need to do is create an email account in your favorite email program, and use your own email account information while specifying someone else’s email address.
And that – or its equivalent – is exactly what spammers do.
Before you try spoofing email from Santa Claus yourself, there are a few catches:
- Your email program might not support it. For example, most web email services don’t have a way to specify a different email address to send from, or if they do, they first require you to confirm you can access email sent to that address. However, sometimes you can connect to those same services using a desktop email program, like Microsoft Office Outlook as I’ve shown above, and configure it to do so.
- Your email service might not support it. Some ISPs check the “From:” address on outgoing email to make sure it hasn’t been spoofed. Unfortunately, with the proliferation of custom domains, this approach is falling out of favor. For example, I might want to use the email account I have with my ISP to send email “From:” my askleo.com email address. The ISP has no way to know whether that’s a legitimate thing, or whether I’m a spammer spoofing that “From:” line.
- It’s probably not anonymous. Yes, you can set the “From:” field to whatever you like, but you should be aware that other email headers (which you don’t normally see) may still identify the account you used to log in when you sent the email. Even if it’s not in the actual email headers, your ISP may well have logs that indicate which account sent the email.
- It might be illegal. Depending on who you try to impersonate, your intent and the laws in your jurisdiction, it’s very possible that misrepresenting yourself in email could run afoul of the law.
Spammers don’t care, and bypass all that. They use so-called “botnets” or “zombies”, which act more like full-fledged mail servers than mail clients (Microsoft Office Outlook, Thunderbird, and so on). They completely bypass the need to log in by attempting to deliver email directly to the recipient’s email server. It’s pretty close to being anonymous, as the spam is exceedingly difficult to trace back to its origin.
The “From” spoofing take-away
There’s nothing special about the “From:” address. It’s just another field which, like the “To:” field, can be set to any value you like. By convention – and sometimes automatically – we set it to our own email address when we send mail, so that we get any responses. But there’s nothing that says it has to be that way.
And often there’s nothing that forces it to be that way.
Similarly, since it’s just a setting on outgoing email, seeing a particular “From:” address doesn’t imply any relationship to the actual account that would receive email that is sent to that address. Spammers don’t need access to the account to make it appear in a “From:” line – all they need to do is effectively to type it in the “From:” line. Nothing more.
That spam didn’t really come “From:” that address at all.