Have you ever received an error message about an email that you didn’t send? Or wondered why someone from your own company’s email address is sending you ads for Viagra or financial alerts for penny-stocks? Have you gotten a spam message from yourself? If so, you’ve just seen email spoofing in action.

Anything about an email can be edited or overwritten including the From, Return-Path, and Reply-To fields. Commands inserted into the header of the email can make the message appear to come from anyone, anywhere saying whatever the sender wants it to say. Spammers and other hackers know that their response rate is 10% higher if they can match the recipient’s name – they rely on curiosity and trust to trick you into opening a malicious message. The trick is built right into the hacker tools that are used to generate mass-mailing worms and other malware.

If you think you received a spoofed message, simply delete it. Most email programs allow you to block future messages from that address but that approach is no longer effective at actually stopping spam. The problem is that blocking User1@spoofvictim.com still lets junk through from User2@spoofvictim.com, User3, etc. The odds that the spammer will pick the same victim next time are negligible. But if you ever do get a legitimate message from User1, you’ll never see it. If there really is enough spam from one location to justify a black-listing, our spam-filter vendor will find it and include it in their master list. That fixes the problem not just for your email but for everyone else at the same time.

Do not send a complaint to the person that you think sent you the spam. If it was a spoof, they can’t do anything about it anyway. If it was not a spoof, all you’ve done is confirm that you’re the kind of person who opens spam messages. You’ll get more spam, not less. You can, however, forward a copy to spam@uce.com, a department of the Federal Trade Commission which collects and reports on spam trends.

If you think that your address has been spoofed, delete that message too. Some virus writers are deliberately mimicking the email error messages in the hopes that you’ll open the attachment “explaining the problem” and infect your computer with their program. If you don’t remember sending the message, trust your memory. It’s very likely a scam.

Leave a Reply