“From” Spoofing: How Spammers Send Email that Looks Like It Came from You


OK, I know that spammers can send email spoofing the “From:” address to make it look like it came from me. But how? How do they gain access to my account to do that? Have I been hacked?

No. You have not been hacked.

“From” spoofing means faking the “From:” address on an email to make it look like it came from you. To do it, spammers don’t need access to your account at all. I’d say that 99.99% of the time it has nothing at all to do with your account, which is quite safe.

They only need your email address.

While your email account and your email address are related, they are not the same thing.

Accounts versus addresses

Let me say that again: your email address is one thing, and your email account is another.

  • Your email account is what you use to log in and gain access to the email you’ve received. In most cases, it’s also what you use to log in in order to be able to send email.
  • Your email address is the information that allows the email system to route messages to your inbox. It’s what you give other people, like I might give you leo@askleo.com.

The two are related only to the extent that email routed to you using your email address is placed into the inbox accessed by your email account.

I have a more detailed article discussing the relationship here: What’s the Difference Between an Email Domain, an Email Account, and an Email Address?

To see how spammers get away with “From” spoofing, let’s look at sending email.

Addresses, accounts, and sending email

Let’s take a quick look at how you create an account in an email program, like the email program that comes with Windows 10. Using “Advanced Setup” for “Internet email”, we get a dialog asking for a variety of information.

Add an Account in the Windows Mail program
Add an Account in the Windows Mail program (click for larger image).

I’ll focus on three key pieces of information you provide.

  • Email address — This is the email address that will be displayed on the “From:” line in emails you send. Normally, you would want this to be your email address, but in reality, you can type in whatever you like.
  • User name — This, with the Password below it, is what identifies you to the mail service, grants you access to your mailbox for incoming mail, and authorizes you to send email.
  • Send your messages using this name — Called the “display name”, this is the name that will be displayed on the “From:” line in emails you send. Normally you would want this to be your own name, but in reality, you can type in whatever you like.

Very often, email programs display email addresses using both the display name and email address, with the email address in angle brackets:

From: Display name <email address>

This is used when most email programs create your email, and that’s what you’ll then see in the “From:” line.

“From” Spoofing

To send email appearing to be from someone else, all you need to do is create an email account in your favorite email program, and use your own email account information while specifying someone else’s email address and name.

Adding a fake From: to an account configuration
Adding a fake From: to an account configuration (click for larger image).

Looking at those same three bits of information:

  • Email address — As we said above, it can be whatever you like. In this case, email sent from this account will look like it’s “From:” santaclaus@northpole.com.
  • User name — This, with the Password below it, is what identifies you to the mail service, grants you access to your mailbox for incoming mail, and authorizes you to send email. This hasn’t changed.
  • Send your messages using this name — Again, this can be whatever you like. In this case, email from this account will appear to come “From:” Santa Claus.

Email sent using this configuration would have a spoofed “From:” address:

From: Santa Claus <santaclaus@northpole.com>

And that — or its equivalent — is exactly what spammers do.

Caveats

Before you try spoofing email from Santa Claus yourself, there are a few catches:

  • Your email program might not support it. For example, most web-based email services don’t have a way to specify a different email address to send from, or if they do, they require you to confirm you can access email sent to that address first. However, sometimes you can connect to those same services using a desktop email program, like Microsoft Office Outlook, as I’ve shown above, and configure it to do so.
  • Your email service might not support it. Some ISPs check the “From:” address on outgoing email to make sure it hasn’t been spoofed. Unfortunately, with the proliferation of custom domains, this approach is falling out of favor. For example, I might want to use the email account I have with my ISP to send email “From:” my askleo.com email address. The ISP has no way to know whether that’s a legitimate thing, or whether I’m a spammer spoofing that “From:” line.
  • It’s probably not anonymous. Yes, you can set the “From:” field to whatever you like, but you should be aware that other email headers (which you don’t normally see) may still identify the account you used to log in when you sent the email. Even if it’s not in the actual email headers, your ISP may well have logs that indicate which account sent the email.
  • It might be illegal. Depending on who you try to impersonate, your intent, and the laws in your jurisdiction, it’s possible that misrepresenting yourself in email could run afoul of the law.

Spammers don’t care. They use so-called “botnets” or “zombies” that act more like full-fledged mail servers than mail clients (Microsoft Office Outlook, Thunderbird, and so on). They completely bypass the need to log in by attempting to deliver email directly to the recipient’s email server. It’s pretty close to anonymous, as spam is exceedingly difficult to trace back to its origin.


Where’d they get my email address?

So you might be asking yourself: if they didn’t compromise your account, where did they get your email address?

Spammers get email addresses everywhere. Data breaches, public postings, emails forwarded by friends without removing your email address, less-than-reputable companies, some kinds of bulletin board postings, and more.

Basically, spammers get your email address from wherever they can, but they don’t need access to your account to do it.

The “From:” spoofing takeaway

There’s nothing special about the “From:” address. It’s just another field which, like the “To:” field, can be set to any value you like. By convention — and sometimes automatically — we set it to our own email address when we send mail, so we get any replies. But there’s nothing that says it has to be that way.

And there’s nothing that forces it to be that way.

Similarly, since it’s just a setting on outgoing email, seeing a particular “From:” address doesn’t imply any relationship to the actual account that would receive email sent to that address. Spammers don’t need access to the account to make it appear in a “From:” line; all they need to do is type it in the account settings. Nothing more.

That spam didn’t really come from that address at all.

Originally published as “From” Spoofing: How Spammers Send Email that Looks Like It Came from You on Ask Leo!