• 
What is E-Mail Spoofing?
E-mail spoofing (or forging) is sending an e-mail to another person so that it appears that the e-mail was sent by someone else. It is becoming so common that you can no longer take for granted that the e-mail you are receiving is truly from the person identified as the sender.
How does it work?
It is disturbingly easy to spoof an e-mail address. All you need to do is change the settings in your e-mail program. Simply change your name, and choose any e-mail address as the reply-to address. When your e-mail arrives, it will appear to the receiver as having been sent from another person. There are rare occassions when you might want to this, such as if you are sending an e-mail from home and want to look like it is being sent from your work account. However, forging anybody`s name but your own could have serious legal ramifications.
What does it mean?
Here is a simple rule: You can no longer trust the sender`s address on an e-mail. It is as easy to fake as writing someone else`s address on an envelope before dropping it in the mailbox.
You have to teach yourself to be wary of e-mails, in much the same way that you have been trained to recognize dubious letters, phone calls and door to door salesman. Nobody wants to be the victim of a fraud artist.
Who is spoofing?
There are four basic sources of spoofed e-mails: SPAM, virus programs, fraud artists and people who simply want to cause someone trouble.
SPAM
Many spam companies will steal a real person`s e-mail address in order to trick anti-spam filters. It also makes the e-mail seem legitimate and written by a real person (rather than a machine). Finally, it allows them to hide their true identities.
VIRUSES
Almost all of the latest virus programs use e-mail spoofing. The reasons are simple: many people are still willing to blindly click on an attachment sent by someone they know. Once activated, the virus program will send itself to everybody in the infected computer`s address book, but it will first use one of those addresses to fake who is actually sending the virus. Not only does an innocent person have to deal with calls that he or she is sending out viruses, but the real infected machine is left alone to continue its dirty work.
FRAUD
Fraud artists will send out e-mails asking for passwords or credit card information, and they will spoof the address so that it appears the e-mail is being sent by a legitimate organization. These e-mails often ask the victim to visit a web page and fill out an online form. Of course, this web page is fake as well.
TROUBLE MAKERS
Disgruntled people can cause a lot of trouble for a company or organization by spoofing e-mails. They can create fake press releases or internal memos, and then send them out by pretending to be a person at the company. Usually their goal is to generate rumours and misinformation. Their work can lead to inaccurate media reports and significant loss of productivity.
Examples of E-Mail Spoofing
Here are some recent cases of e-mail spoofing that caused a lot of trouble:
- A recent virus program sent e-mail that appeared to come from Microsoft, and even used the company logo and other graphics. Links on the e-mail went to the actual Microsoft site, however the message urged you to install a Microsoft security update which was included as an attachment. Of course the attachment was really a virus.
- A student looking to sell information on "free cash grants" spoofed the e-mail so that it appeared to come from flowers.com (now 1-800-FLOWERS.COM) (in an attempt to make his e-mail look more legit one can guess). Return-to-sender hate mail and bounce-backs swamped flowers.com`s network and crashed its system.
- A message "from" Sony`s president threatening a hostile takeover of Apple Computer at an inflated per-share price raised eyebrows at several dozen companies and media offices.
- An icily worded message "from" management of a law firm informed employees a colleague had been brutally murdered, naming her replacement. Shocked staff forwarded the message to friends outside the company`s London and Hong Kong offices. A viral global smear campaign rapidly unfurled.
- E-mail "from" the American Red Cross following the September 11 disaster sent recipients to fake Web sites where people used credit cards to make "donations".
- Messages appearing to come from companies such as Warner Bros and Computerworld included links to porn sites.
What Can You Do?
Unfortunately, there is not much that you can do to prevent spoofed e-mails from being sent to you. Companies such as Microsoft are examining the issue, but solutions are still a long way away. What you can do is understand how fragile the sender`s "identity" really is, and be vigilant.
You can also look at the "headers" information to see where the spoofed e-mail actually originated from. Depending on the circumstances you can then send an alert to the person you assume sent it.
If it appears that your own e-mail address has been spoofed, there are some steps you can take. If you receive an e-mail or phone call accusing you of distributing a virus, first determine that your computer is not infected by using your anti-virus. If you are clean, you may consider replying to the person and politely letting them know that your address was spoofed. Keep in mind that many virus alert messages are often generated by a program. Replying to such a message will be a waste of time.
Additional Resources
Here are some links to additional information:
http://www.openspf.org/
-
If you have questions concerning legal issues, we encourage you to work with your legal counsel.
U.S. sites interested in an investigation of this activity can contact the Federal Bureau of Investigation (FBI). Information about how the FBI investigates computer crimes can be found here
For information on finding and contacting your local FBI field office, see
Non-U.S. sites may want to discuss the activity with their local law enforcement agency to determine the appropriate steps for pursuing an investigation.
-
For general security information, please see
-
To report an incident, please complete and return
Or use the web-based Incident Reporting Form at