Email Spoofing FAQ

Overview

This is a FAQ article regarding email spoofing.

Information

What is Spoofed Email?

If you receive bounce messages for mail that appears to originate from your account, you find messages in Spam from 'me,' or you receive a reply to a message you never sent, you may be the victim of a 'spoofing' attack. Spoofing means faking the return address on outgoing mail to hide the true origin of the message.

When you send a letter through the post, you generally write a return address on the envelope so the recipient can identify the sender, and so the post office can return the mail to the sender in the event of a problem. But nothing prevents you from writing a different return address than your own; in fact, someone else could send a letter and put your return address on the envelope. Email works the same way. When a server sends an email message, it specifies the sender, but this sender field can be forged. If there is a problem with delivery and someone forged your address on the message, then the message will be returned to you, even if you weren't the actual sender.

If you've received a reply to a message that wasn't sent from your address, there are two possibilities:

  1. The message was spoofed, forging your address as the sender.
  2. The original sender used your address as a reply-to address so that responses would be sent to you.

Neither of these possibilities indicates that your account was compromised, but if you're concerned that your account may have been compromised, please contact the Technology Service Desk.

Why do attackers spoof emails?

  • Hiding their true identity, although if this is the only goal it can be achieved easier by registering anonymous mail addresses.
  • Easy to rotate. If you are spamming, your address is bound to be blocked quickly. If you’re able to switch sender addresses, who cares?
  • Pretending to be someone the receiver knows. This can be used to ask for sensitive information or just plain orders to transfer funds.
  • To give the sender a bad name. Sending out insults or other messages that put the so-called sender in a bad light.
  • Pretending to be from an organization the receiver has a relationship with. Phishing attempts to get hold of login details for banks etc. are a common example.

How can I tell if I'm being spoofed?

The following are symptoms of spoofing that may indicate a spoofing attack

  1. You see mailer-daemon error messages that say something like "Undeliverable" or "Undelivered Mail - Return to Sender" in your inbox that do NOT match any messages you sent out (as if someone sent a letter to another person and wrote your return address on the envelope instead of their own).
  2. You get messages from people who received email from you that you did NOT send.

The only true way to tell if you are being spoofed is to inspect the full headers (these are like the front page of a letter with postmarks, the return address, and recipient's address) and see if the reply-to address does not match the where the email was being sent from.

What can I do if I think my email is being spoofed?

Unfortunately, you can't do much to stop spoofing once it starts--or to avoid having spammers harvest your email address in the first place. Spammers often get your email address from compromised accounts that have you in their contact lists or start to spoof your account if it was previously compromised. As spoofers send email through their own servers and all they do is change the reply-to address, they completely by-pass the email servers that the account is on. That is, if the email being spoofed is a UO email, the email being sent does not touch anything the UO has control over while it is being sent (if it was a gmail account, the email would not touch anything Google had control over). At this point, it is up to the recipient or their email provider to recognize that the email is spam and reject it. One step you can take is notifying the UO Information Security Office of any spoofed emails using this phishing email reporting page: Service - Report Email Phishing (uoregon.edu)

Details

Article ID: 41254
Created
Tue 10/24/17 2:31 PM
Modified
Wed 11/24/21 3:16 PM