What is Email Spoofing?
Spoofing is the term for falsified e-mail addresses that appear to come from a sender when in fact, the message is really being sent by a spammer. They can be difficult to spot and cause many problems, both for recipients and spoofed e-mail address owners.
How spoofing operates
E-mail spoofing can assume a variety of forms, but basically, a spoofed e-mail has appears to have been sent from one source when it actually was sent from another source entirely. Phishing attempts and e-mail worms typically use spoofed e-mail addresses to trick users into believing that an e-mail has come from a trusted source. The actual sender effectively hides behind a user's address by falsifying its routing information, making it appears to come from the legitimate user's account.
However, any replies to a spoofed e-mail go directly to the legitimate e-mail account (not the sender who has spoofed the e-mail) causing embarassment and inconvenience. The legitimate user can find their e-mail Inbox bombarded with viruses, bounced e-mail, flame e-mails and in some cases can have their account suspended or shut down by their Internet Service Provider (ISP) for violating its anti-spam policy.
Meanwhile, the sender avoids all of these consequences, leaving innocent users to deal with the aftermath.
How to tell a spoofed e-mail address from a legitimate e-mail address
It is extremely difficult to detect a spoofed e-mail address, at first glance. It is possible to identify a spoofed e-mail by carefully analyzing e-mail headers but generally, spoofed e-mail is not immediately detected as such.
There are several things to look out for regarding potentially spoofed e-mail addresses
Typically, spoofed e-mails will appear to come from a legitimate source and it is often only the content of the e-mail itself that can give the spoofer away. Banks and other financial orgaizations do not request personal information via e-mail - that is one of the most important things you can remember regarding all e-mail fraud (spoofing, spamming and phishing included).
Like spammers, spoofers use various ploys to trick users into opening their e-mails, anything from placing "Dear friend" or "Remember me" in the subject line - implying that the e-mail is from someone the user knows, to more generic subjects like, "Your money has been refunded" or "About your Web site."
Be wary of e-mail that appears to be from a legitimate source (like your bank) that asks you to update your personal information - it is almost certainly a phishing attempt and the official looking e-mail address will be spoofed.
How to tell if your e-mail address is being spoofed
You receive (sometimes angry) replies to e-mail you know you did not send.
You receive multiple bounced e-mail that you know you did not send.
Your ISP challenges you about violating its anti-spam policy.
What to do if you think you have received a spoofed e-mail or your e-mail address is being spoofed
Do not respond to a spoofed e-mail to complain because, it will only arrive in your own e-mail Inbox.
Send a copy of the spoofed e-mail to the spoofed e-mail sender's ISP. The e-mail address for this is usually firstname.lastname@example.org or email@example.com but if you are not sure, visit their ISP's Web site and search for the information - it will be there.
Send a copy of the spoofed e-mail you received to your ISP's abuse desk. The e-mail address for this is usually firstname.lastname@example.org or email@example.com but if you are not sure, visit your ISP's Web site and search for the information - it will be there.
Include full e-mail headers when you file a spoofing report. Find out how to read e-mail headers here.
Further assistance can be also obtained by contacting our organization via out contact form
Basic safety tips for preventing e-mail spoofing:
Use more than one e-mail addresses. One for personal e-mail and the other for mandatory fields in online forms and access areas.
Make your e-mail address difficult to guess. Spoofers will use every name combination they can find to send spam (known as "dictionary attacks"), so firstname.lastname@example.org, although unattractive and possibly difficult to remember, might attract less spam than email@example.com. Generic e-mail addresses like firstname.lastname@example.org will always attract spoofing, unfortunately.
Never post your real e-mail address anywhere online, such as newsgroups, online chat and online profiles.
When you are responding via a Web site form, read it thoroughly.
Some Web sites who do include an opt out option usually require you to check a box to say that you agree to be sent e-mail (either from them or their associates). However, some of them ask that you uncheck a pre-checked box not to be sent e-mail and many consumers have fallen foul of that.
Never open e-mail and/or download attachments from anyone if you are not expecting them and if you must open an attachment - always virus scan it first.
Keep your operating system, anti-virus, anti-spyware and firewall software up to date.
Use any spam filters available by default from your ISP.