Email Spoofing

If it appears that someone has been sending emails from your email account, but there is nothing in your 'sent items' and no record of the emails being sent from the server, then there is a good chance your email address has been spoofed... It is widespread, and there are plenty of tools on the internet to allow anyone to send an email pretending to be somebody else...

You will usually see the legitimate sender's email address when you receive an email. But did you know that email can be sent from a website script? Or simply from a different email than what is displayed in the "From" field.

Below is an example of one such online PHP Script which allows you to send an email pretending to be someone else. The "From E-mail" can be set to an email address... If you change the "Reply-To" address when someone hits 'reply,' this is where the email reply will be sent to. It is as simple as spoofing an email and pretending you are someone else.

So, we learn that sending an email is similar to sending a letter in the post...

... anyone can post a letter to you from any postbox worldwide... And unless the sender includes some information about where the letter came from, you would never know who sent it... There would be some information about roughly where the letter came from - i.e. a stamp from a local sorting office etc., but you can't 100% trace it back to the individual who sent the letter.

Email is very similar. You can look at the 'message headers' to work out where the email was sent from... i.e. the server used to send the email, but the person's name or 'from email' may not be correct. Or it may have been sent from a website that a hacker controls.

The first thing you need to establish is...

Am I being spoofed, or has my email been compromised?

You may have found yourself in this situation:

You log into your email account one day and find a lot of undeliverable bounce-back emails sitting in your Inbox. You didn't send the emails that generated them, and people are complaining about the spam you are sending from your account.

Why is this happening? Has someone hacked into your account? Are you being spoofed?

So what do you do?

First, you want to determine whether your account has been compromised by a virus, malware, or spammer or if you are just being spoofed.

How do I know if my email account has been compromised?

This can be determined by taking a look at the email headers. If you're not comfortable with this, please get in touch with our support team, and we can take a look for you. If you are familiar with headers, the information here will show you where the email originated or the server it was sent from.

If your email account has been compromised, you should run a complete system virus scan on your computer and reset your email password. Changing your email password will cut off any connection a third party may have to your email account.

If your account has not been compromised, then you are being spoofed.

What does it mean, "My email is being spoofed"?

Email spoofing is when the sender of an email, typically spam, forges (spoofs) the email header "From" address so the email appears to have been sent from a legitimate email address that is not the spammer's.

They do this for a couple of reasons:

They are tricking spam filters into allowing the email to use a reputable email address. This would be one way your friends and family would see your spam emails in their Inboxes rather than their spam folders.
To prevent the bounce-back emails from being received in the spammer's Inbox. Spammers may send their spam out to thousands of email addresses, and inevitably, many of those emails will bounce. Since spammers don't want to receive hundreds of bounce-back messages, this prevents that from happening.

Email spoofing is more familiar with email accounts that are not actively used. If the version is used daily, there's a higher chance that your account might have been compromised by malware or a virus.

While there is no fool-proof way to prevent either type of abuse to your email address, you could adopt some "best practices" when it comes to your email security:

Change your password frequently.
Always run full virus scans on your computer.
Avoid including your email address in online blogs and posts. Try using (at) and (dot)com instead of @ and .com to prevent malicious automation from harvesting your address.
Avoid using your primary email account for everything online. If you are signing up for a mailing list, contest, application form, or something similar, use a free throwaway email account like Gmail or Hotmail, something you don't mind deleting if it gets abused.
Only use your primary email to communicate with people you know or trust.

So what can you do about email spoofing?

The short answer is not much. There are no definitive ways to prevent someone from harvesting your email address from the internet somewhere and using it for spam.

Here are a few places spammers may acquire your email address. There are programs and software designed to do nothing else but scavenge the internet for email addresses:

On a website contact page
Domain WHOIS records (Hover offers free WHOIS privacy on all domains that support this feature. We recommend using it whenever possible)
Mailing lists. Some of them are legitimate, but others may sell your information—anything you post online with your email address in it.
One of your contact's computers may become compromised, and your information is taken from their contact list.

If the spoofing is recurring and causing a lot of inconvenience, the best thing to do would be to delete the account and start over with a new email account. Since this isn't always possible, you could create a temporary filter in webmail to keep the bounce-back emails out of your Inbox until the spammer moves on. They usually only last for a week or two, sometimes less.

Here is some more technical information about headers and spoofing:

What to look for in Email Headers to determine if your account has been compromised. In the headers, you should be looking for something like this:

Received: from [11.22.33.44] (11.22.33.44.servername.com [11.22.33.44])
(Authenticated sender: sender@senderdomain.com)
by something.servername.com (Postfix) with ESMTPA;
Fri, 14 Jul 2019 11:44:16 +0000 (GMT)

This is just an example of using fake information, but the key to note here is "Authenticated sender". This means the email was sent after authenticating the sender using a username and password. Therefore, it was sent through the outgoing mail servers using the email account login credentials. This is when you should run a complete system virus scan and change your password, as mentioned above.

If you're being spoofed, here are some things you can do to stop the spoofing activity. Remember, you can do nothing to stop it once it's started. The bounced emails you receive may contain some information that could be used to track down the email's source. They often come from infected computers, so the chances of finding the exact location of the spammer are pretty slim. You may be able to find the IP address of where the message originated, find out which ISP it belongs to, and see if they would be willing to place that IP address on a block list. However, they may not be willing to do that, and if they do, the spammer could move to another computer with a different IP address.