Home : Internet : Email : Spoofed

Email Spoofing

Email spoofing is a particularly nasty trick used by email spammers. It works like this:

In order to send email you need to include a return address, or else the receiving server will most likely reject the email as invalid or spam. Spammers need a return address for their spam messages but they don't want to use their own address for fear of being caught. Also, since so many spam messages get bounced, the spammer doesn't want to receive thousands of bounce messages.

Unfortunately one of the fundamental flaws of the email system is that you can put any return email address you like on your email — it doesn't have to be your own. This means that spammers can use someone else's email address as the return address on their spam. This makes their spam seem more legitimate while passing all the problems on to some poor innocent victim.

If you're wondering how this situation could be allowed, the answer is simply that no-one thought about it when designing the original email system. It didn't occur to naive engineers that people would deliberately use a false return address.

If You Have Been Spoofed

You will know that you've been spoofed when you start receiving hundreds of bounce messages for emails you never sent. The content of the original emails will be spam.

Apart from the terrible inconvenience, there is also a danger that your email address will become blacklisted by some people or ISPs. Some systems that don't take spoofing into account will erroneously blacklist the email address that the spam is apparently sent from.

What Can You Do?

Here's the bad news: In most cases there are only two options and neither of them are fun.

(1) Change your email address, and make sure the old email address is set to bounce.

(2) Wait it out. Eventually spammers will stop using your email address and things will return to something near normal. Sadly you may suffer some permanent damage (e.g. blacklisting) but in most cases it's just a matter of time before things come right. Of course it's then only a matter of time before you get spoofed again, which is all part of the great circle of life in the email world.

Depending on your system, it may be possible to adjust your email account to minimize the problem without affecting your email address. For example, if most of your email comes via an online contact form, or if you use email forwarding, you may be able to change the routing addresses. Consult your system administrator to see if this is possible (warning: it probably isn't so don't get your hopes up).

In case you are wondering about going after the perpetrator and making them stop, give up on that idea now. You have very little chance of success.

Important Note

Spoofing is one very good reason why you should never reply to spam. The spammer will not be the person who receives your email — instead it will probably be someone who is experiencing their own spoofing hell. On top of everything they are going through, they really don't need abusive emails from people blaming them for spam.