Spam Appears Sent from Your Email Address? Here's Why
November 6, 2007
Reader Denise Brown writes: I just read your article "Follow the Spam". There was a sentence in there regarding unsuspecting users' email accounts being used to send spam. About two weeks ago, I received spam from what appeared to be my own email account. The address was the same as my email account, and I thought it was weird, but just used the Yahoo! Delete Spam button. Should I be concerned about my email account? If so, what should I do? I like my email address, have used it for years, and don't particularly want to change it, but will if I have to.
This is an important point that I probably should have clarified at the time. Put simply: What you see in the "From" field on an email has little bearing on where it was actually sent from. Why? It's one of the easiest things to forge in the book.
In fact, so-called address spoofing is such a common trick that it's become a major tool in phishing scams. The hope is that a suspicious recipient will just look at the sender, see it says "firstname.lastname@example.org" or "email@example.com," and assume the message is legitimate. Of course, it's as phony as a three-dollar bill, and if you click on the links in that message, you'll be whisked off to a scam website.
With general "Viagra"-style spam, one common trick is to simply forge the email of the recipient as the sender as well, which is what you're seeing. So firstname.lastname@example.org receives email sent from email@example.com, or so it seems. Again, the idea is that you might trick a few people into thinking they actually emailed themselves. Of course, it's all a fiction.
That doesn't mean that spam never comes from the address in the From field or that legitimate email accounts can't be hijacked for evil ends. They can. But compared to spoofing, both are fairly rare: It makes much more sense for a spammer to hide his tracks as much as possible to prolong the amount of time before he gets caught and that account or computer becomes defunct. It should go without saying that you should protect yourself thoroughly with antivirus and anti-spyware applications so that doesn't happen to you.