E-mail Spoofing or E-mail Forgery: We’re not sending you viruses! Really, we’re not!

(from Maine Townsman, August/September 2004)
By Jeri Holt, Resource Center/Web Manager

E-mail spoofing refers to e-mail that appears to have originated from one source when it was actually sent from another source. Individuals who are sending "junk" e-mail or "spam" typically want the e-mail to appear to be from an e-mail address that may not exist; therefore, the e-mail cannot be traced back to them.

Why Spoof?

There may be many reasons why people deliberately send out e-mails spoofing the return address. Most are criminal or malicious or at the very least deceptive.

Often it is to fraudulently obtain information. These e-mails are sent in an attempt to collect sensitive personal information from recipients who reply to the message or click on a link to a Web page requesting this information. The e-mail addresses of companies such as banks, credit card companies, and Internet service providers are often spoofed for this purpose.

Individuals also use spoofing to deliver a “spam” message or insert a virus.  By using a real e-mail address, they stand a better chance that it will be opened and that they cannot be traced.

Worms and viruses also use spoofing. They locate e-mail addresses on an infected computer’s hard drive from temporary Internet files or in contact lists (Outlook, for example) and use them as the “From” address. Recently, viruses have been able to generate random addresses that actually don’t exist.

Symantec (Norton AntiVirus) says on their web site that they have received reports of “numerous cases in which users of uninfected computers received complaints that they sent an infected message to someone else.”  These individuals’ e-mails had been spoofed and used to send out viruses.

Robert Vamosi, a ZDNet.com senior editor, offers the following description of how spoofing occurs:

If your computer should become infected with a virus, that virus might parse cached HTML pages and pull out any e-mail addresses it finds. It also culls addresses from your Outlook contacts and various other documents stored on your hard drive. The virus then sends copies of itself. To do so, it uses its own SMTP engine to bypass your e-mail client and any built-in safeguards your e-mail client may have. Not only will the virus try to send me a copy of the virus, for example--and, later, plenty of “spam,” thank you very much--the virus may also use my e-mail address as the sender's return address to infect  others.”    “Why I’m not sending you viruses,” April 2, 2004,   http://reviews-zdnet.com.com/4520-7297_16-5128975.html


SMTP and E-Mail Headers

These forgers/hijackers can get away with spoofing e-mails because of the structure of the Internet protocol for sending e-mail. The SMTP (Simple Mail Transfer Protocol) used by the Internet has no method of verifying who is sending what to whom. It is very simple to manipulate the e-mail header information to masquerade as someone else.  There is even a web site which will send out spoofed mail for you.

E-mail collects information from every computer it passes through from send to delivery. You can see where e-mail has been in the headers of each message.

In Outlook, you can see the header information by right clicking on the message in your in-box. Select “Options” and you will see the header information in the window in the bottom of the pop-up message box. The first information is at the bottom so read from the bottom up. The “Return-path” and the “Reply-to” fields will tell you the most, because if they don’t match, the sender isn’t who they claim to be.  Before sending off a message saying an individual sent you a virus, you can check the header and verify that they really did send it.

Don’t open that file! Don’t follow that link!

Beware of spoofed (or any) e-mail messages with attachments or links to web sites.

1.     Don’t open any attachments unless you are expecting them. If it is from a person you know, contact them and ask if they had just sent you an attached file. If they didn’t, then their address has probably been spoofed. 

2.     Never click on a link and go to a page to submit personal information.

3.      Never click on a link that you didn’t ask to be sent to you. A link in an e-mail could launch a virus or take you to an infected location.

4.     Don’t open an attachment that ends in .exe, .pif,  .scr, .vbs or .zip.

Beware of fake messages from your virus software! Viruses also send out spoofed messages from virus software or purporting to be from your e-mail provider saying that you have been sending out infected e-mail and telling you to follow the instructions in the attached file or link.

What can you do?

You can’t stop your address from being spoofed. Even if you protect your computer from attacks, your address can be picked out of infected computers that have received e-mail from you.

You also can’t do anything about receiving spoofed e-mail. Until the SMTP process has been changed so that spoofing is not possible, spoofing will continue.

You can however protect yourself by:

1.      Using antivirus software to protect your machine from infection from spoofed e-mail.

2.      Updating your virus definitions regularly. There are new viruses being created every day, so make sure to use software that is updated regularly.

3.      Not opening any attachments, unless you know in advance that they are coming or have verified them.

Spoofing, “spam” and all their nasty variations that pop into our e-mail boxes are becoming a fact of daily computer life. They are annoying and potentially damaging, but by identifying and understanding them, they can be dealt with appropriately. Don’t hesitate to use that “DELETE” key!