Fig 1: Setting the display name in your e-mail client
The name you set will be displayed in the recipient’s mail program as the person from whom the mail was sent. Likewise, you can type anything you like in the field on the following page that asks for your e-mail address. These fields are separate from the field where you enter your account name assigned to you by your ISP. Figure 2 shows what the recipient sees in the “From” field of an e-mail client such as Outlook.
Fig 2: The recipient sees whatever information you entered
When this simplistic method is used, you can tell where the mail originated (for example, that it did not come from thewhitehouse.com) by checking the actual mail headers. Many e-mail clients don’t show these by default. In Outlook, open the message and then click View | Options to see the headers, as shown in Figure 3.
Fig 3: Viewing the e-mail headers
In this example, you can see that the message actually originated from a computer named XDREAM and was sent from the mail.augustmail.com SMTP server.
Unfortunately, even the headers don’t always tell you the truth about where the message came from. Spammers and other spoofers often use open relays to send their bogus or malicious messages. An open relay is an SMTP server that is not correctly configured and so allows third-parties to send e-mail through it that is not sent from nor to a local user. In that case, the “Received from” field in the header only points you to the SMTP server that was victimized.
Note: For more information about open relays, see this page.
There Ought to be a Law
In fact, several U.S. states do have laws against e-mail spoofing. Many state anti-spam laws, such as those of Washington, Maryland and Illinois, specifically prohibit using third party mail servers or a third party’s domain name without the permission of the third party. The federal CAN SPAM Act also makes it illegal to send unsolicited e-mail with false or misleading headers or deceptive subject lines.
The problem with such legislation is that by its very nature, spoofing conceals the identity of the sender and thus makes it difficult to sue or prosecute. Nonetheless, it’s a good idea to report deceptive e-mail to the Federal Trade Commission, which has a special e-mail account set up for that purpose at email@example.com. You can also go to the Commission’s Web site and click the “File a Complaint” link.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.