DigitalFlare
Call: 0843 289 5840

Spoof Email

If it appears that someone has been sending emails from your email account, but there is nothing in your 'sent items' and no record of the emails being sent from the server then there is a good chance your email address has been spoofed... It is very common and there are plenty of tools on the internet to allow anyone to send an email pretending to be somebody else...

Most of the time when you receive an email you will see the legitimate senders email address. But, did you know that email can be sent from a website script? Or simply from a totally different email than what is displayed in the "From" field.

Below is an example of one such online PHP Script which allows you to send an email pretending to be someone else. The "From E-mail" can be set to email address... If you change the "Reply-To" address when someone hits 'reply' this is where the email reply will be sent to. It is as simple as that to spoof an email and pretend you are somone else.

So... what we learn is that sending email is very similar to sending a letter in the post...

...Anyone can post a letter to you from any postbox around the world... And unless the sender includes some information about where the letter came from you would never really know who sent it... There would be some information about roughly where the letter came from - i.e. a stamp from a local sorting office etc, but you can't 100% trace it back to an individual who sent the letter.

Email is very similar. You can look at the 'message headers' to work out where the email was sent from... ie the server that was used to send the email, but the person's name or 'from email' may not be correct. Or it may have been send from a website that a hacker already controls.

The first thing you need to establish is....

Am I being spoofed or has my email been compromised?

You may have found yourself in this situation:

You log into your email account one day and find a lot of undeliverable bounce back emails sitting in your inbox. You didn't send the emails that generated them, and people are complaining about the spam you are sending from your account.

Why is this happening? Has someone hacked into your account? Are you being spoofed?

So what do you do?

The first thing you want to do is determine whether your account has been compromised by a virus, malware, or a spammer, or if you are just being spoofed.

How do I know if my email account has been compromised?

This can be determined by taking a look at the email headers. If you're not comfortable with this, please contact our support team and we can take a look for you. If you are familiar with headers the information here will show you where the email orignated from... Or at least the server it was sent from.

If your email account has been compromised, you should run a full system virus scan on your computer and then reset your email password. Changing your email password will cut off any connection a third party may have to your email account.

If your account has not been compromised, then you are being spoofed.

What does it mean, "my email is being spoofed"?

Email spoofing is when the sender of an email, typically spam, forges (spoofs) the email header "From" address so the email being sent appears to have been sent from a legitimate email address that is not the spammers own address.

They do this for a couple of reasons:

To trick spam filters into allowing the email through by using a reputable email address. This would be one way your friends and family would see spam emails from you in their Inbox, rather than their spam folder.
To prevent the bounce back emails from being received in the spammer's own inbox. Spammers may send their spam out to thousands of email addresses, and inevitably a lot of those emails are going to bounce. Since spammers don't want to receive hundreds of bounce back messages, this prevents that from happening.

Email spoofing is more common with email accounts that are not actively used. If the account is used on a daily basis, there's a higher chance that your account might have been compromised by malware or a virus.

While there is no fool-proof way to prevent either type of abuse to your email address, you could adopt some "best practices" when it comes to your email security:

Change your password frequently.
Always run full virus scans on your computer.
Avoid including your email address in online blogs and posts. Try using (at) and (dot)com instead of @ and .com to prevent malicious automations from harvesting your address.
Avoid using your primary email account for everything online. If you are signing up for something like a mailing list, contest, application form, or something similar, use a free throwaway email account like Gmail or Hotmail, something you don't mind deleting if it gets abused.
Only use your primary email to communicate with people you know or trust.

So what can you do about email spoofing?

The short answer is, not much. There are no definitive ways to prevent someone from harvesting your email address from the internet somewhere and using it for spam.

Here are a few places spammers may acquire your email address. There are programs and software designed to do nothing else but scavenge the internet for email addresses:

On a website contact page
Domain WHOIS records (Hover offers free WHOIS privacy on all domains that support this feature. We recommend using it whenever possible)
Mailing lists. Some of them are legitimate, but others may sell your information
Anything you post online with your email address in it.
One of your contact's computers may become compromised and your information is taken from their contact list

If the spoofing is recurring and causing a lot of inconvenience, the best thing to do would be to delete the account and start over with a new email account. Since this isn't always possible, you could create a temporary filter in webmail to keep the bounce back emails out of your inbox until the spammer moves on. They usually only last for a week or two, sometimes less.

Here is some more technical information about headers and spoofing:

What to look for in Email Headers to determine if your account has been compromised. In the headers, you should be looking for something like this:

Received: from [11.22.33.44] (11.22.33.44.servername.com [11.22.33.44])
(Authenticated sender: sender@senderdomain.com)
by something.servername.com (Postfix) with ESMTPA;
Fri, 14 Jul 2019 11:44:16 +0000 (GMT)

This is just an example using fake information, but the key thing to note here is "Authenticated sender". This means the email was sent after authenticating the sender by means of username and password, therefore, it was actually send through the outgoing mail servers using the email account login credentials. This is when you should run a full system virus scan and change your password as mentioned above.

If you're being spoofed, here are a couple of things you can do to stop the spoofing activity. Keep in mind, there is nothing you can really do to stop it once it's started. The bounced emails you receve may contain some information that could be used to try to track down the original source of the email. They often come from infected computers, so the chances of finding the exact location of the spammer is pretty slim. You may be able to find the IP address of where the message originated, find out which ISP it belongs to, and see if they would be willing to place that IP address on a blocklist, however they may not be willing to do that, and if they do, the spammer could simply move to another computer with a different IP address.