5/25/16
7:00 am

How Spammers Spoof Your Email Address

When you get junk email, you should never trust the from field to be accurate. It is easy to fake the from field making the email appear to come from anyone, even people you know. Spammers will use this to fool people into opening their email. If someone gets spam that appears to come from you, most likely it is not because your computer or email account have been compromised, but simply that your email address is being spoofed.

Video Transcript (Click to Expand)
Hi, this is Gary with MacMost.com. On this episode let me tell you about email spoofing.

So did you ever get a piece of junk mail and it appears to come from you or from a friend of yours, or perhaps you got a message from a friend of yours saying I've got a piece of spam and it looks like you sent it. Maybe your computer is infected, maybe your email account has been compromised.

Well, when you get a piece of email that is coming from somebody different than actually who sent it, it is called email spoofing. It's incredibly easy to do. So easy to do that any spammer is going to actually spoof their email address. They are never going to use their real email address when they send out spam. Very often they are going to use a real email address from somebody else, maybe somebody you even know, just to get you to open the email.

So, the false assumption many people have is that when you get a piece of email it says it is from somebody any you think it has to be true. It has to be from that person. Well, it's not true at all. You can fake that very easily. As a matter of fact it is just as easy to do with an email as it is to do with physical mail. Physical mail you put the return address here and it's supposed to be who this is from. But you can write anything you want here. Nobody is going to check that. You can put the President of the United States, the Queen of England, anybody you want here. It is just as easy to do that in a piece of email.

As of matter of fact, for spammers the software they use to send stuff out, that's going to allow them to put anything they want in there. They don't even have to have any technical knowhow to do it. So you can't trust the From address in any email that you get. Most of the time it's going to be right because somebody who sent you a legitimate email is going to want that From to be something accurate because they are communicating with you. But spammers don't care about that.

Now let me show you how they can actually get your email address without even compromising your computer at all and make it look like you're sending out spam!

So let's look at one way that this could happen. Here we've got Joe and Joe's computer. Joe has friends that he emails. So you can see here these are Joe's friends and this is a list of all their email addresses. These aren't necessarily in Joe's contacts. These are just if you look at Joe's email you'll find the email addresses in the From field from all of the emails that he has ever gotten.

In addition to that Joe also has all his work people and he emails them and he has their email addresses on his computer. If you look through his email all those email addresses are there. Also, you've got Joe's Special Interest Group SIG. This could be Joe's neighborhood mailing list, this could be a hobby he's got and he subscribes to this mailing list and he communicates with people or maybe his college buddies and they all email back and forth all the time things about their alma mater.

So Joe's got a lot of different email addresses if you search through his email here and they all combine to create all of this data here that's is email addresses on Joe's computer. When put together they're Joe's email data and it's all sitting their on his computer.

What happens if Joe get his computer infected. Say he is using an old PC and it's out of date and he downloads something he shouldn't and now his machine is infected and he may not even know it. So what's going to happen now is that infection, that malware, is going to go and look at all of his email data and it's going to harvest it. That may be it for Joe's computer. It may actually harvest all that data and send it somewhere else and Joe's computer doesn't actually do anything from that point on. Or Joe's computer can continue to be, maybe, the agent that sends out spam.

So what happens when it sends out spam. Well, it's going to take an email address from Joe's email data. Say this one just at random. Then it's going to take another one. Say this one and it's going to compose an email. That email could have anything in the From and To field. So what it's going to do is take this orange email address and it's going to stick it there in the From field. And it's going to take this purple one and it's going to stick it there in the To field. So now you've got an email that could be send by Joe's computer, it could be sent by another computer somewhere else, or a server in another country. It doesn't really matter.

It's going to go and make it look like this email is from this orange person to this purple person here and it's going to be spam. What are the chances that this purple person knows this orange person. Well, actually pretty decent since they both know Joe. If you look at all the possible combinations of sending say from this person to this person or this person to this person, or two people over here to two people over here it's going to send out a whole bunch of emails and a lot of those are going to recognize where it comes from. They are going to think that it comes from somebody they know and thus they are going to be that much more likely to read the email which is all the spammer wants.

The spammer may be sending out a million emails on a given day and maybe a hundred people read them. If by doing this technique they can trick two hundred people into reading them well they could perhaps double their return of whatever it is they're sending out. So that's why they do this. The spammer doesn't care that this person here in orange is going to get an email from maybe this person in purple saying hey I think your computer is infected or I think your email account has been compromised because I just got an email from you.

Well it turns out the orange person, their email account isn't compromised, their computer doesn't have any malware. Their email address was just spoofed. They didn't do anything wrong. There is nothing for them to do. There is nothing they can do. There is a whole bunch of emails that is going to go out from this orange person to all of these people there is nothing they can do but wait and field a bunch of emails from people saying hey I think you've been compromised. I'd just say well no I think my email address has just been spoofed and wait for it all to die down.

The spammer doesn't care that this is going on. The spammer just cares that maybe a few more people clicked on the links in the body of the email. That makes it all worth it to them even though it is an annoyance to the person in orange. It is, of course, an annoyance to the person in purple. Joe may not even know it's going on. That is just collateral damage in the spammer's attempt to make money.

So what do you do if you get a message from a friend saying that they got spam and it appears to come from you. Well, despite everything I just said you should still look at it as an opportunity to change your email password. This probably has nothing to do with you or your email account or your computer but you should be changing your email password every once in a while anyway. And you should be changing it to something that's always a very strong random password.

So look at this as an opportunity to do that. While you're there check things over just to make sure that everything looks legit. Look at your Sent email and make sure that it is just stuff that you've sent and it probably is. Once you have assured yourself that everything looks okay and you've changed your password then there is nothing to do but wait it out. Usually these kind of things happen for a day or two. Maybe your email address gets used a lot and there is nothing you can do to stop it.

You just kind of got to wait till you get through the wave of people responding to you or people notifying you about using your email address and then it should all die down because the spammers are going to want to move on to another email address just to keep things going and keep the chance that somebody will open up a spammed email a little bit higher. So it is in their interest to actually move on after a little bit than to keep using your email address.

So I hope this has been of help in explaining why it may look like why spam is being sent out from your account even though it's not.

Comments: 14 Responses to “How Spammers Spoof Your Email Address”

    Dinorah
    5/26/16 @ 8:51 am

    Thanks for this post! Two questions, why do spammers do this( What do they gain)? Also, i don’t have a password for email. Do you recommend even if your computer has a password, or is it the same thing? THANKS!

    5/26/16 @ 9:03 am

    Dinah: Why do they do this? As I mention in the video, you are more likely to read the email if you think it is coming from someone you know. As for a password, I’m not sure what you mean. You MUST have a password for your email. Every email service I know of requires a password. But once you set up the Mail app on your Mac with the ID and password, then you don’t need to enter it again. Having a password for your user account on your Mac is very very important, yes. No one should go without one.

    John Spencer
    5/26/16 @ 9:23 am

    I cannot seem to block email from russia (.ru) or in russian script addressed to me and also sent by me? I am using Apple mail. I have made rules to try to force this into junk mail. I even junk my own name!

    5/26/16 @ 9:33 am

    John: Not much you can do. Just delete those — takes a second.

    Joan M
    5/26/16 @ 9:46 am

    Hi Gary. Thanks for the post, this just happened to a friend today. Is there a risk to simply opening a spoofed email, or do you usually have to click on a link in the message to have a bad consequence?

    5/26/16 @ 9:47 am

    Joan: In most cases you don’t “open” an email anymore — it just displays if it is the currently selected message. There’s no known danger for Macs at the moment to viewing it. Just delete it and move on.

    André
    5/26/16 @ 9:54 am

    Hi Gary

    Thanks for the information.

    Recently I get emails from and to myself. As I heard is that the from address is faked and not really my email address.

    Can I mark them as spam for example with Spamsieve so that they go directly to my spam folder without effecting the real emails coming from me or from the same @companyname.com?

    Thanks
    André

    5/26/16 @ 9:57 am

    André: Marking them as spam typically won’t help you and in this case may hurt as it may then think that all email from you is spam. I’m just not familiar with “Spamsieve” so I don’t know what it would do exactly — you should ask support for that product to find out for sure. Or, save yourself time and just press delete and move on.

    John Atkinson
    5/26/16 @ 11:51 am

    Gary, great job of explaining email address spoofing. As an I.T. consultant, I field this question, or a related one, all the time. I’m just going to link my clients to this page on your site. Yet another superb video, sir.

    The “related” question I mentioned is, “why am I receiving all these bounce messages from people I’ve never heard of?” Non-delivery messages, of course. That’s just part of the wave of messages a From:-spoofed victim may encounter, when they use old addresses.

    Linda Lyn
    5/26/16 @ 7:05 pm

    Thank Gary
    Good to be warned. Now aday there are so many crocks trying everything they can to set traps in our computers to do harm and to take advantage from each of us. Thank you for warning.

    Jerry Spencer
    5/27/16 @ 5:28 pm

    What happens if you reply to one of these? Does it go to the one you think sent it or does it go off some where else?

    5/27/16 @ 7:05 pm

    Jerry: In some cases, the email will go to you or whatever spoofed address is in the From field. In other cases, the Reply-To field, which is different than the From field, will be used when you hit the reply button. That could be spoofed, it could be an invalid email address, or it could be the spammer’s real address. Whichever one it is, you should never reply to these. Either you are replying to an innocent party, no one, or a spammer. In most cases of spam the goal is to get you to click on a link to some offer (or worse) and not to reply.

    Carol
    6/1/16 @ 3:11 pm

    Good explanation–thanks. But is it also useful to post something on Facebook warning my more gullible friends that I did not send such-and-such (invitation to download files, for example), and if they received it, do not open the link, and do not send their password to the file-sharing service, as requested, but change it instead?

    6/1/16 @ 3:48 pm

    Carol: Only if you have reason to believe that they got spam email that looks like it is from you. If you got spam “from” yourself, then it is likely if they got the same spam that it looks like it came from them, not you. Or, it could come from another person entirely. If you want to warn them, give them a general warning that spam can appear to come from anyone at all, even a friend or themselves. Just always be skeptical.

Comments Closed.