Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

81 comments on ““From” Spoofing: How Spammers Send Email that Looks Like It Came from You”

  1. Think of the “from” line of an e-mail as nothing more than the return address on a snail-mail envelope. Nothing stops me from writing someone else’s name and address, and the mail will still go through.

    Reply
    • I am hoping this little bit of advice will end up on top, to help others with “technologically primitive” friends and relatives.

      Often, when “newbies”, (no matter how old they are or how long they’ve had a computer or smartphone) get a cute/funny email, they want to share it. So, what do they do? They SHARE it. With EVERYONE! In doing so, they have unwittingly just sent YOUR email to EVERYONE and the pattern continues…their “Tech-Newb” friend(s) repeat(s) the “friendly offense” and, before you know it, hundreds or even thousands of folks (maybe some not-so-nice ones) have YOUR email and everyone else’s that was “lucky” enough to be part of all this fabulous love of sharing.

      My tip is, TELL them…TELL the “Tech-Newb” in your life that, while you “appreciate the sentiment, please, please, PLEASE, do not “share” these things with me”…and if you think they’ll “get” it, by All means, explain why!

      Reply
  2. Presumably this means I should be careful about adding such spam emails to my spam filter’s list of spam addresses. I do occasionally send emails to myself, and I don’t want to block these.

    Reply
  3. I get high importance mail from my self, stating “Delivery Status Notification (Failure)” the picture then advertise medicene and link takes me to Canadian Pharmacy. How do I prevent the spamers from doing it to me and how do I stop it?

    Reply
  4. OK, so I completely understand that anyone can write anything in the “from” line, what I need to know is HOW do I block them when the from is my own address that they put in, and not theirs? I send myself emails all the time so I can print on another level of my home (to another imac) so I don’t want to block myself, What I’d like to know is HOW do I find their email? who it REALLY came from and block them and or track them down? I sooo wish I had a program to automatically extract the person’s address and spam them 1000 times over. Anyone write this yet?

    You can’t. That’s the whole point.

    Leo
    28-Sep-2009

    Reply
    • Leo
      You are wrong the senders email address along with a Domains Abuse email can be seen easily when one looks at the headers of the email.
      To do this in Outlook client open the email in full screen mode, then on the file menu area select Properties.
      A small box appears which shows the Header information.
      In here along with a lot of other information one will find the senders email address. Once found add this to your blocked email spam filter.

      Reply
  5. Thank You, Leo! Your explanation was clear.
    People that are in MY address book are being sent these emails in batch mode/CC.

    Question:
    1. Without my password to my account, how do they get access to MY email address list? Some of these addresses are ancient, yet still good.
    It is especially annoying to find that these ‘addresses’ and the tag I gave them are being sent to multiple people. I always use BCC to avoid ‘giving out’ addresses, which I consider common courtesy, and hopefully avoids the violation of identity of sorts. I feel like a leper now!
    2. When can I hope for this to end? I’m deleting 70 or so notifications daily – in addition to knowing it’s still happening – someone is monitoring this for me.
    3. What Email software would you recommend? Or simply avoid HotMail?

    Please shorten as necessary.
    Thank you

    1) They can’t. It’s more likely that your account has been hacked and they have your password. Check this article: Someone’s sending email that looks like it’s from me to my contacts, what can I do? (Remember that you need to change much more than your password to regain/retain control.)

    2) You need to regain control of your account first. change your password and everything else.

    3) Email software is different from am email service. EMail software: I like Thunderbird. As for email services I avoid free, recommend those with customer service, but if you must go free: Gmail.

    Leo
    04-Sep-2010

    Reply
  6. In order to completely avoid spammers to send email that looks like you it requires a big improvement over the actual mail protocol.
    In Italy (the land of the spoofers) they came out with a new mail protocol called certified mail you can read more about it here:

    http://www.openpec.org/eng/index.shtml

    This new protocol does not allow spoofing anymore. Unfortunately it’s something that has been adopted only in Italy so far, and I wonder if anyone else in the world will ever feel the need for this. The protocol must be adopted on both sides to work.

    I’m actually working for a company that sells this so called certified mail: Poste-Certificate.it – PEC aziende It’s interesting, but very burocratic as everything here.

    Reply
  7. Hi Leo, what you say is dead on. I get emails to my Spamfighter box all the time which are so called “returns” to me i.e. bounce backs, however I did not send them. As an experiment I set up a “spoof” account on my Thunderbird programme. I used a legit AOL account belonging to me and used a totally false name. I then sent myself an email and sure enough, I got the false name and my AOL email account. The only problem is the ones I get on my Thunderbird programme often end up in the Spamfighter box. Does this mean that my address is being blocked by Spamfighter ?

    Reply
  8. While on the subject of spammers, be very wary of sites offering to eMail something to some third party. You have no idea of what they are going to do with that eMail address. Even if the site does not sell these addresses to spammers, they may save the addresses and a spammer hacking into their site may get them. Another category of possible spammer farms is that of sending greeting cards. Your are virtually giving them your address book. What will they do with it?? THINK BEFORE YOU DO IT!!!

    Reply
  9. I went thr’ the article as i am one of the victims of this.I am really worried now as to how to stop this.One thing i noticed is that it sends mail only when i log on using my home wi fi.However ( as i gather from the answers) i try changing all the details in my account.

    Reply
  10. Hi,
    there is currently no way to stop “spoofing”. I have a custom domain name and the spoofer just prefixes my domain name with a random alpha-numeric string and churns out email. No check is ever made to see if this “spoof” address is valid, by that I mean is it a real account that I personally have created for my own use. Whilst this continues to be the case then we are all just victims. In this day and age the corrective measures are not technically challenging to implement but it seems that the technical will to do so isn’t there.

    Reply
  11. Leo, I recently had a fake email go to my banker in NY asking for a wire transfer. It had my Outlook signature at the bottom just like a real email from me and it also fake copied my director of finance. It went on to say my director would send wiring instructions. I am taking precautions up to and including reinstalling the operating system on all computers to insure any malware or key stroke program is gone but wondering if the hacker actually gained access to my emails in outlook or even worse, to my outlook contact list?

    any thoughts?

    Reply
    • It could be as simple as having forged an email from some other computer with no access to your computer or account at all. But I’d certainly secure my account regardless.

      Reply
  12. Nice article.
    Another thing they use is “me” in the sender’s address. Yahoo filters my e-mail and blocks them for me with the exception of PC Pitstop and Dave’s Computer tips. They were blocked as well till I allowed them through the first time.

    Thanks for caring……….Alan

    Reply
  13. {website removed}.com keeps spamming me, almost daily, using this header and random user names. I have never ever even been to that site, WHY?!? WHY ME?!?? don’t these jacka$$e$ get that I will NEVER buy whatever from any random email suggestions?? This is why I gave email up for awhile, but then I got a smart phone and it came with email..
    sure I can delete everything without opening it, but the sh!t just keeps coming!!

    Reply
    • Spam is spam, and once they have your email address, they’ll continue to send spam regardless of what you do or don’t do. Just make sure the adaptive spam filter in your email program or web mail is enabled and mark those mails as spam. Eventually it should learn to identify that kind of email as spam.

      Reply
    • Just mark spam as spam and move on with your life. It’s a fact of email life and not really worth getting seriously worked up over.

      Reply
  14. Okay…so here’s what is confounding me:
    Someone has accessed all my email contacts and is sending out spam emails to them, but they aren’t using my actual email address moniker as the “from”. They are using my name as it appears on my Pinterest account, which is completely different than what’s on my email address.
    So how is that happening?

    Reply
    • They made a copy of your contacts. They are now using their own email server and email account with the “From:” information set to your Pinterest name with your email address.

      Reply
  15. Hi

    So there must be a way to stop this! You wrote to another person “Just move on with their life”

    Yes easier said that done. The last couple of days I got thousands and I mean THOUSANDS of emails saying “Delivery Subsystem – Message delivery failure”
    And i get the because they looks like the are from me, so when they can’t be delivered they are bouncing back to me! Im getting crazy here. Just while I was writing this I got 223 emails!
    Easy to say, “just delete them” yes but I have to go through them all because there could be important emails between them, so please help me here!

    Thanks
    Klaus

    Reply
    • Mark them as spam. That’s the only solution that I’m aware of. Eventually your spam filter should filter them automatically if it’s any good.

      Reply
  16. I got an email recently that had a different email address as the “From” with my full name – but within the body of message my full name and correct yahoo email address were listed in the signature portion along with “sent from my iPhone.” This is a bit strange since it clearly comes from another email address. The weird thing is that the email was delivered to my work address with my yahoo address within the body. So there is a strange connection. Is this something I should be worried about? Thanks!

    Reply
  17. Hi,
    I am curious about how my contacts are receiving these spoof emails? If only the email address is comprised but not my email account, how are my contacts being affected?

    Thanks!

    Reply
  18. I understand how the spoofers created an address that is very similar to mine. However, they are sending email to people I corresponded with 3 years ago, most of which are not in my list of contacts. It seems to be a mix of soccer parents and people I worked with at that time. Is it likely they hacked my email account? I appreciate any info you can offer.

    Reply
  19. Hi and thanks for the great article. Just to clarify, if I receive a fake email and I respond will the response go to the
    server which sent the fake email or to the actual email address which was faked? Thanks again.

    Reply
    • The reply would go to the address which appears in the from field. You’d be able to see where it is sending to when you click reply before you click send to send the message. My question is why would you even want to try?

      Reply
  20. I’ve hit a road block at understanding the server information. In your example, you write “3popsomerandomservice.com”, but what should I write if I’m trying to set this up? (pranking a good friend)

    Thanks

    Reply
    • You would need to get that from your email provider. For instance to find it for Gmail you Click on the > Gear > Settings > Fowarding and POP/IMAP, and down at the bottom click on “configuration instructions”. Follow the instructions on that page for Gmail instructions. If you have email from a different service you will need to find their instructions.

      Reply
  21. I use a service called junkemailfilter.com and use it on my different domain names and email services. It is very adaptive, has good customer service also. It cut our spam that my employees as a whole from close to 1000 total a day down to only 30 to 35 company wide or an average of only 5 a week per person. It might be over kill for a single person but a small business of 20 or so employees the $9.99 a month they charge is well worth it. I liked it so much that I now use it on my personal email as well. Every now and then, I have to look in the spam folder for a legit email, but I only have to mark it legit once. It also can send out an email back to the person who sends it to verify that they are a real person (as opposed to an auto program). I now pay for much less email storage space as a result. Thanks for all the good tips leo, I pass along many of your tips to my family, friends, and employees, you explain this all better than I do.

    Reply
  22. I have for years been getting Mail System Error – Returned Mail from Mail Administrator, doing my own investigating I found it was being sent from Germany. (I’m in Arizona) Using my translator I found out it was just plain ole spam, of course the first thing I did was change all my passwords, which had no effect because as you said they are just using my email addy to “spoof” a valid address. My ISP was no help and never even offered any suggestions on what to do ,lucky for me I’m a bit of a computer nerd and was able to discover its not a big deal just annoying. I don’t even see anymore cuz I filter these emails to my spam folder. What has been really helpful after so many years of this happening is reading Ask Leo, so thansk for all your help for so many years.
    Michael

    Reply
  23. Hi,
    My friend told me only i have been sent spam of his contact list. And he said only he has been in contact with me ” exchanging” messages which is true he does not use it on regular basis. Why only me?
    I got spam 5 times or so and then it stoped and havnt happend in 5 years. He’ s facebook was never hacked even if he has the same password because he downloaded the full ip adresses and didnt find anything. Nothing weird with his hotmail back then until now and strange activity or in the send box. I think this most have been a spoof as you talk about. But HOW did they?!
    Is it the man in the middle attack? I am confused.

    Reply
  24. Dear Leo,

    Someone created an outlook email account with my name and company name (my signature block on another email- not associated with Microsoft) but they show different phone and email. They have been emailing lots of agents in the US offering them referrals via a link. These people, google, after they are not able to reach me via the number provided, obtain my real phone number and email and ask about the referral. Its driving me crazy. What can I do? Since I did not create the account, I can’t delete it. Microsoft is asking for information I’m not able to provide. Reported to the Federal Trade Commission. I tracked the town where the number seems to be from and contacted the local FBI office for help, but nothing so far. Help!

    Reply
    • Unfortunately, short of law enforcement intervention, there’s probably nothing which can be done as free email services like outlook.com offer little or no customer support. From the technical point of view, this is simply their account which happens to use your information. From the legal side, it sounds like identity fraud.

      Reply
  25. I am not understandig how they spoof friends that actually know each other and changed e mails with each other. We looked at the return path and it was fake. But how?!!!! No others contacts have gotten spam except me :(.

    Reply
  26. Someone is sending emails from my .com.au account, I changed the password few times and they do it nearly immediately, something else, the emails are coming straight as spam. I have couple of questions.
    1. Are this emails reaching my contacts?
    2. How can I stop these people?
    Thanks

    Reply
    • Once a spammer has your email address, there’s nothing you can do to stop them from using it to send spam in your name. It’s so easy for a spammer that they don’t even have to hack into your email account to use your address to do it. It’s as simple for a spammer to spoof your email address as it is for someone to write your home address on an envelope and just as hard to prevent or stop.

      Reply
  27. I have been having issues with one of the workers I supervise. He thinks I don’t like him. Recently he received a not so nice email with my name as the sender. He was very upset at me. i am getting concerned for my safety at this point. What should I do. My HR manager told me to just let it be, but this is clearly affecting my work environment.

    Reply
  28. Subject line problem- – I have hundreds of emails arriving with the Subject, not the from, that display my partial email address. The Subject line shows all characters to the left of the @ symbol. For example: (abcdef@xxxx.xxx). I right click on each email received to find the Source. I have been copying the From address of each email I receive and pasting them into a Word document for future reference. The problem: I have been unable to block these emails by creating a rule in my Hotmail account to have Hotmail block all emails received that have ‘abcdef’ in the subject. I create the rule but emails continue to get through. My question: Are the characters that ‘appear’ in the subject the ‘actual’ characters? In other words, is what we see in the subject line always what is actually in the subject line?

    Reply
  29. Great article, but I still don’t understand one thing. In my case, I am getting emails from someone that looks like coming from a friend. However, the email address is not my friend’s. How does the spammer know what name (my friend’s name) to display when targeting me? Did they hack my email account, so they know who my friends are?

    Reply
    • No, it’s unlikely that your account has been hacked. There are many ways that spammers use to determine who’s likely to know who. It’s generally nothing of great concern.

      Reply
  30. We have somebody who has received porn spam that contains information personal to her environment. They know she has brown hair, a desk, a family picture on the desk, and a blue coat. Have you ever heard of that before?

    Reply
  31. I saw that you had comments to some of my concerns. I’m receiving emails from a person in my contacts list (business email) and when I click on the address is shows up as my contact. Because I didn’t know any better at the time, I responded. These were requests for money transfers and wires.
    I, of course, followed up with a phone call and found this was not the person I know. I have the two AOL accounts and the bank, account and routing information they sent can this person be prosecuted?

    Reply
    • More than likely they cannot be prosecuted if they are from another country. Sometimes scam rings are local, however, and if that is the case they can be prosecuted if they get caught.

      Reply
    • That certainly sounds like a prosecutable crime. It certainly doesn’t hurt to report it to the police. The problem is that the perpetrator would have to be caught, and often these scammers operate in countries with lax law enforcement for cybercrimes.

      Reply
  32. Leo
    My email has been spoofed exactly as you have described it: someone sending emails in my name, from an email address that is not mine. There is one catch however, it is clear that the scammer has gotten my contacts list. Although they are using a different address, they are sending emails in my name to my contacts, in addition to people I don’t know. How does this happen, and what can I do?

    Reply
  33. I received an e-mail which looks like this : Bill Gates “” Bill Gates [mailto:{removed}

    I’m really sorry for the spam. I added quotation marks around the angle brackets, I hope it will display the field :(

    Reply
  34. I found an email in my husbands spam where he and a woman were emailing each other.he denied ever doing it .is it possible hes telling the truth?

    Reply
    • There’s really no way of knowing. If the message was in his spam folder, most likely it was just random spam.In fact, porn spam often makes it look like they are answering an email you sent to get your attention.

      Reply
  35. Thank you so much for helping me sort out my problem after receiving some vile and demanding money emails, it really was very upsetting, but being made to understand the workings of it all has truly helped and was appreciated.
    I do run a computer club, as a club benefit, for the older folk at my retirement village and will find this info important to share with them.
    Many thanks again
    Kindness
    Venitia

    Reply
  36. Wonder if you could settle a disagreement I have with my boss re: “From” spoofed email…

    Consider a business with a hosted enterprise email solution like Office 365 or even an on-premises Exchange server. With that, the business uses a 3rd party solution for signatures such as Exclaimer! A uniform signature is applied to any email that the business sends after it leaves O365 or Exchange in this scenario. Btw, Exclaimer! offers a ‘cloud service’ version and an ‘application’ version which can be installed on the Exchange server… I am not sure whether the final answer differs whether the signature comes from the cloud or from the Exchange server but am mentioning it for completeness.

    Question: Can a “From” spoofed email get the signature applied to itself in order to make it appear more legitimate? Again, does it matter if the signature solution is cloud-based or on premises?

    My feeling is that the more savvy spoofers have gotten hold of a legitimate email that has the signature on it and they have made a copy of the signature and are including it in the base “From” spoofed email they are sending. My boss insists that “From” spoofed email CAN / WILL get a 3rd party signature applied to it IF the email is destined TO a recipient in the business’ email domain… that is, to the recipient, it appears a co-worker emailed them but in reality it was “From” spoofed. (Again, and does it matter if the signature is in the cloud or on the on-premises Exchange server receiving said spoofed email.)

    Reply
    • It depends on the specifics of the signature, but if it’s the industry standard DKIM, then the whole point is that spammers are not able to correctly sign a spoofed message. The only way to get a correct DKIM is to send the email through the infrastructure associated with the domain.

      The recipient is immaterial. Signatures are all about confirming the From/sender.

      Reply
  37. Nicely explained and great details! Sadly, after more than 10 years, this information is still relevant and is still a problem. I’m all to familiar with email spoofing as I’ve had my own email address receive spoofed emails for years claiming to be from me.

    Here’s my question. If I’m getting bounced emails with my business email address in the email address field (the angled brackets when looking at the header) does this hurt my quality score? Will I have a better chance at ending up on blacklists because some scammer/spammer is using my email address? Just today we got a bounce-back from some spammer that used his email address in the User field but our Admin address in the Email Address field.

    Recently we’ve been trying to rebuilt our email reputation because of spammers breaking into our email server and using it for nefarious reasons. (As if they’d use it for good?) Many of our marketing emails were going directly into spam folders.

    Reply
    • Because spoofing is so rampant I have to believe that the impact on your email address’s reputation is small, if there’s any at all. A compromised server, on the otherhand, will quickly end up on blacklists. But that’s the server (by IP address or name) not the email addresses.

      Reply
  38. Hallo
    I sent an email to my client and a few minutes later i received a spam message with the same subject i had sent the client. does that mean am hacked?

    Reply
  39. If someone sends SPAM with my company name in the “From” address, can this affect the deliverability of my own company emails to ISPs (specifically GMail), even though they are sending from a different domain and IP address?

    SPAM:
    From: John’s Apple Cart <evalxkh@zpfghtam.us

    Actual Email I am trying to get delivered:
    From: John's Apple Cart

    I have a high “Sender Score” authenticated domain, and am adhering to best sender practices, list hygiene, etc. but my open rates with gmail addresses have been steadily declining all year. Someone recently shared that they have been receiving SPAM from my From address and I’m wondering if it could be contributing to GMail relegating my traffic to the SPAM folder by default.

    Reply
      • Anyway – the actual email address is being blocked after my “Actual example” but assume the “Actual” version has my correct domain after the Friendly From – My main question is if someone is using my company name in their “Friendly From” – can it affect my reputation and deliverabilty of my actual emails? Thanks!

        Reply
    • In general I believe — and certainly hope — that the answer is no. Someone else’s “From:” address shouldn’t have a negative impact on your reputation, just because email security providers know just how simple that is to do.

      Reply
  40. My email address was used to sent a message to my husbands email address, containing confidential accounts info.
    So, I’ve been spoofed but how did they get hold of confidential accounts info

    Reply
  41. Hi, Leo. My husband just received an email with my maiden name in the “from” field. The address it is from is not mine at all. But I have not used my maiden name in over 13 yrs. should I be worried my identity has been hacked?

    Reply
  42. I’m getting scam, not spam emails from someone and it says it’s to a different email address then mine. The email address it’s to always has a _mod after the .com. How can I prevent this from happening. I’ve never heard of getting a email from anyone that has, _mod after the .com.
    Example, My email address is, youwhere@hotmail.com. These scam, not spam emails are going to, youwhere@hotmail.com_mod.

    Thanks

    Reply
  43. On my Unix shell account, the headers in the Alpine (successor to Pine) E-Mail program are almost fully configurable.

    I’ve gone so far as adding two “Nonsense” headers for the entertainment of “Header Delvers”:

    X-Gibberish: The Elephant says, “Tusk, tusk!”.
    X-Computer: “Commodore 64 BASIC v2 : 64K RAM System : 38911 BASIC Bytes Free”

    …Just for the heck. :)

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.