Dealing with Email Spoofing
Email Spoofing is when a spammer forges your email address and uses it to send out emails FROM YOU that you didn’t send.
How do they do that?
Simple. They put YOUR email address down as the From: address instead of their own! It works exactly the same way for traditional mail - see Diag 1.
Why do they do that?
By using your respectable email address, they know that recipients are more likely to open the email. And, since it's from YOU and not them, they're less likely to be caught.
How do I know if my email address has been spoofed/forged?
You probably won't unless some of these emails bounce back to you.
Have a look at Diag 1 again - if Simon Someone was unknown at that address, the letter would be returned to the Post Office who would send it back to Miranda Me - but did Miranda Me actually send the letter?
With email, the same thing happens when someone on the spammer's address list has closed down their email address. Since the email can't be delivered, it's bounced back to the Sender as a "mail delivery failure". And that's YOU - because the forger used a small piece of code to insert your email address into the hidden From: record which identifies the Sender in every email.
Another way you might find out that your email address has been forged is when someone you know is on the spammer’s address list and they ring you asking why you are sending them junk.
Has my email account been hacked?
Forgery doesn’t require access to your email account.
It’s just a simple piece of code that puts a From: email address into any email sent by anyone from anywhere. (With a physical letter, you could spoof the From: address by just writing it out on the back of the envelope - like in Diag. 1)
A spoofed account is not (usually) a hacked account.
If your email has been hacked - well that's a different thing altogether. It means someone or something - person/virus/trojan/malware) has gained physical access to your email account. You'll know because you'll either be locked out of your own account and/or EVERYONE in your address book will get in touch about the lousy emails you're sending them these days.
Is Spoofing a common problem?
Yes, especially if you have a domain email address – meaning your email and webhosting correspond to a domain hosted by a webhost. In plain English - you have a domain like example.com, and your email addresses end with @example.com. In general -
- Spoofed accounts are more common with domain email addresses and
- Hacked accounts are more common with hosted mail providers like gmail, yahoo and hotmail.
What can I do if my email address has been forged by a spammer?
If you have a domain email address(es), the first thing to do is have your webhost set up an SPF (Sender Policy Framework) record on your webhosting account. Just ring them and they’ll get it done. Domain email addresses with SPF records are beyond the capabilities of most forgers. Don't forget to read the Gotchas section before you ring your webhost.
If you're technically minded and want to understand more about setting up SPF records go to http://www.openspf.org
How does the SPF record work?
Every email that is sent contains behind-the-scenes records known as headers. We've already mentioned the From: address, and you'll be familiar with To: and CC:. If you choose View > Source in your email program, you can see all the headers used.
Two of these are very significant.
- The From address. This is the one usually forged by the spammer who inserts your email address here. This one is not helpful in beating criminals since it is forged and cannot be told apart from the real thing.
- Address of the originating sending mail server. This cannot be forged once the email is sent out, and contains the IP and address of the sending mail server. (All addresses and IPs below are fictitious btw.)
FORGED: Received: from abo.spammyserver.com ([126.96.36.199])
GENUINE: Received: from mail.mydomain.com ([188.8.131.52])
How the Criminals are Outsmarted
Emails are always routed through various mail servers to reach their final destination. Each mail server will automatically add it's address and IP to the email headers. And that gives us a record that we can trace back to the originating mail server!
Genuine mail servers will check the envelope From: address, and ask for an SPF record from that email's domain. If an SPF record exists it will contain the address of the real mail server(s) that you approve to send your emails.
With an SPF record, the address of your stated, trusted originating mail server(s) is always compared against the originating mail server’s address information in the email headers. If they don't match (and they won't if they've been spoofed), it’s easy to spot and dump out a forged email. That email will not be delivered, thereby frustrating the spammer’s efforts.
If there is no SPF record associated with your domain then no test is made and the forged email has a far greater chance of reaching its destination.
So it pays to have an SPF record set up if you have a domain based email address. It means that the spammer’s forged emails will NOT get through to their victims and is a waste of their time. They will just stop using your email address.
Are there any Gotchas to using SPF?
If you incorrectly set up SPF records, you could end up with none of your own emails being delivered! Get a professional to do it for you, and make sure you understand the gotchas below.
- It needs to be a domain email - if your webhost adds an SPF record to your domain (eg example.com), then only email addresses @example.com are protected!
- SPF needs to be set up correctly. It is a record of the mail server or servers (yes you can state multiple mail servers) that you allow to send your domain email. This is useful if, for instance, you forward your domain email to your gmail account.
- Be sure you know which mail server(s) is responsible for sending your email! If you use POP based email, the address of your sending mail server is recorded in your email client as the SMTP (outgoing) address. BE SURE AND CHECK THIS inside your email program. A common gotcha is that many people unknowingly use their broadband provider’s SMTP address instead of their domain mail server address. If this is the case, you will need to change it back to the SMTP mail server address supplied by your webhost before you ask them to set up an SPF record for you. Another common problem is companies who use an Exchange Server in the office to send their email – again, the SPF record needs to be with the Exchange Server – since that is the originating mail server address.