Full FeedShields Up!: Email spoofing
Have you ever checked your email and found a flood of “delivery failed” messages (also known as bounce backs) but they are for messages you never sent? Congratulations, you’ve been spoofed - or rather your email address has. Email spoofing is one of the oldest tools in a spammer’s book. Let’s take a look at what it is and what you can do about it.
In its simplest terms, email spoofing is the faking of certain parts of an email message to make it look like it came from someone other than the actual sender. The parts commonly faked are the From, Reply-To and Return-Path fields. Spammers use this technique to mask where their messages are actually coming from, and worms like Klez and Sober also use spoofing to propagate themselves. They take random email addresses from the infected person’s address book and plug them into the fields mentioned above.
In phishing attacks, where the spammer actually wants a reply, the Reply-To field will usually contain the spammer’s actual email address, but obviously you don’t want to use it - all you’ll do is tell the spammer your email address is “live” and that you read/respond to spam! In the case of spam and malware don’t try to reply either. I know it’s tempting to want to respond angrily and tell the spammer off, but the message will most likely either bounce or end up in the inbox of a completely innocent person.
If you’ve had your email address spoofed there is really not a lot you can do except delete the bounce messages and wait for the spammer to move on and pick another address to spoof, and that usually doesn’t take long. Don’t take it personally either, the addresses that get spoofed are chosen randomly. Spammers have special software that does it for them, often using dictionary attacks. A dictionary attack is a rather primitive way of spamming and email harvesting. The spammer uses a program that spams a domain using different variations of common usernames, for example jdoe@example.domain, johnd@example.domain, or johndoe@example.domain.
The CAN-SPAM Act makes email spoofing in commercial messages a crime and several states have also outlawed the practice. Unfortunately, since many spammers and scammers operate from countries that don’t have such laws in place, the practice continues largely unabated. To fight email spoofing sender authentication systems such as the Sender Policy Framework or Microsoft’s Sender ID have been developed. Shutting down open relays also helps. More and more ISPs are cracking down on open relays which are almost always used by spammers, and those who insist on offering them more often than not find themselves blacklisted.
Have you had your email address spoofed? Please leave a comment and share your experience with us!
Keep up with the latest gadget goodness! - 
Subscribe to our feed
Macworld 2010
"Apple may not be at Macworld 2010, but Appletell is, bringing you news, photos and videos directly from the show floor and special events. Join us February 10-14 to see what new products 2010 has in store for Macintosh, iPhone, iPod and iPad (yes, iPad) owners."
Palm Pre Information & Updates
Palm just introduced their next-gen smartphone, the Palm Pre, and next-gen operating system, Palm webOS. Gadgetell's got the latest Pre and webOS information and news for you right here.
I’ve been spoofed!!! ...and it’s really annoying!
on July 29, 2009 at 08:10 AM - LINKI wonder if there is anything that can be done about it?
I get hundreds a day
on November 4, 2009 at 10:41 AM - LINK