Email spoofing occurs when an email is sent from one person or program that makes it appear as though it is legitimately from another. For example, user1@youremail.com creates an email, but when it is sent the “From” field has another person/organization’s email address such as fake@somecompany.com. When the person who receives the email clicks the “reply” button their email client will queue a response to the fake email address. Although email spoofing has been around for a long time, spammers commonly use it in phishing attacks to trick users into thinking they have received email from a trusted or known user.

How does Email Spoofing Work?

Email spoofing basically alters the email header to make it appear as though it originated from a different source address. This is possible because the Simple Mail Transfer Protocol (SMTP) does not support any type of sending authentication. Originally, email spoofing was used for legitimate reasons. For example, it was used when someone wanted to send mail appearing to be from their email address when logged on to a network that was not their own. Today, it is commonly used for spam or malicious purposes. The email fields can be edited in many email clients, automated spam, and hacker tool kits that are on the market.

Why do People Spoof Email?

Email is primarily spoofed for one of two reasons: 1 – Spam or 2 – To conduct a phishing or spear phishing attack. Spammers spoof the “From” field many times in order to hide their identity from the email recipient. The message body usually has advertisements or links to offers that the spammers are trying to sell to the recipients. They change the “From” field in the email in order to make it harder to determine their identity and avoid complaints from the receiver. Those who spoof email for malicious purposes typically do so as part of a phishing attack. They spoof the email so that it appears to be from someone else on the same domain as the receiver. In a spear phishing attack, the email may be changed so that it appears to be from the receiver’s legitimate friend or co-worker. This makes the possibility of the targeted person opening the email and falling victim to malware or spyware attack greater.

What are the Techniques to Spoof Email?

Although it is straight forward to change the “From” field in an email header, the email can still be traced to the sender. Additionally, the majority of major ISPs maintain “black lists” to ban known spam senders from sending email to users on their network(s). As a result, spammers have now evolved to using specialized software to create a random sending email address. These email addresses will rarely be active or used for a second time. Another technique that those conducting spear phishing attacks use is to hack the account password(s) of one or more persons in an organization. Once obtained, the emails in the address book are used to conduct additional attacks as they are placed in the “From” field in the email, making them appear to be legitimate. Email worms use this same technique to self-propagate through unsuspecting users who open infected email that the respective worm sends.

Can Spoofed Email be Traced?

The IP address used to send an email is logged and is traceable. This address can then be cross-referenced with the ISP DHCP records to determine who sent the email. If simply trying to trick siblings or friends, it will appear to be from the “faked” email address. This is why spammers and hackers will not send spoofed email from their own IP address(es). Instead, they route the spam through other destinations before sending it to the desired recipient(s).