Has Your Email Address Been Spoofed?
One of the most disheartening and most frustrating spam problems to deal with is spoofing. When a spammer puts someone else’s email address in the “reply-to” field of their spam messages, all bounced message notifications and replies to the original message will be sent to the innocent victim. Using a false or fake email header to send messages is called spoofing.
The way you find out your email address has been spoofed is when you start receiving bounced message notifications for email you didn’t send. And it’s a horrible feeling when it happens!
While there’s really nothing you can do to stop it once it happens, there are some things you can do to try and prevent it from happening in the first place. But before we get into that let me offer some words of encouragement for current victims of spoofing who are receiving countless numbers of bounced message notifications. In my experience, a spoofing attack is an isolated incident, not an endless nightmare. Spammers generally use your email address for one mass mailing and then move on to another unfortunate victim.
Read on to find out if you’ve been spoofed and learn how to prevent future attacks.
Determine the origin of the email
First you need to determine the origin of the email so you know whether you are a victim of spoofing or a victim of a hacker who who is actually sending the spam through your server. You can make that determination by looking at the header of the sent email. In most cases, the bounced email notification will include the full header from the original email. Make sure you are examining the header from the spam email… don’t make the same mistake I made by carefully examining the legitimate header for the bounce notification! 
In a spoofed email message you will find your email address in the “reply-to” field of the header. You also want to examine the “received from” lines in the header. Usually the last server the email passed through will be at the top of the list of “received from” lines and the originating server will be at the bottom of the list. Your header may vary though, so check the time stamps for each line as well. If your domain name or email server is not the originating “received from” then you know your email address has been spoofed.
You may need to do a little detective work to be able to recognize your own servers in the headers. The easiest way to find out where your own email originates is to send yourself a message and examine the headers.
If the originating email server is not your own, you have been spoofed. If you find that the email did originate on your server, then you may be the victim of a hacker and you should contact your hosting company support for help.
Be aware that some hosting companies are quick to disable hacked accounts, so be sure to always have a backup of your website (and be careful if you’re backing up a site that has already been hacked… you don’t want to end up reinstalling the hack).
Was the spam sent just to you?
Lately, I’ve been receiving just one bounced message notification for a spam message. It seems that the spammer is sending the original message just to me, with a copy to himself (for some reason I can’t figure out) and the copy to himself bounces. I figure that if a mass mailing was going out under my email address, I’d be receiving numerous bounced messages, therefore I think it’s just being sent to me. And I assume many other people are getting the same spam with their own email address spoofed.
Report the offender
This is entirely opinion based… I haven’t done any research at all on the effectiveness of reporting spoofers. I think most spammers use an email account once and then move on, so reporting them doesn’t really accomplish anything. I generally don’t have the time to report. However, if the email originated in the US, Canada, or other countries that have some anti-spam laws, and reporting the spammer would give you some satisfaction, you may want to make the effort.
Prevent future attacks
To prevent all kinds of spam, including spoofed header spam, make sure you are taking steps to protect your email address. Take a look at our Tips and Techniques Category to learn how to prevent your email address from being harvested in the first place. In particular you’ll want to look at Tips for reducing the amount of spam you receive at your business email address and Tips for reducing or eliminating spam to your personal email address.
Contact your hosting company about using the Sender Policy Framework (SPF). SPF does not prevent all spoofing, but at this point it’s really the only preventive tool available. Before implementing it on your server, be very careful to make sure you understand what it is, how it works, and where all your legitimate email originates. If it’s not properly set up, you’ll have even more problems. Get complete information at http://www.openspf.org/
If you’re domain or IP address is being blocked by spam filters
In some cases, spoofed email spam can cause you to be blacklisted by email servers. Spoofed email should not cause you to be listed on the major spam organizations’ blacklists, because they should be looking at the headers for reported email and seeing that it didn’t originate from you. Unfortunately, some blacklists and particularly some ISPs will blacklist you if enough members complain that your domain or email server is sending spam.
For help addressing the problem, visit Black List Monitoring. You’ll need to determine where your email is being blocked and find out how to request removal from that list.
Where can I report the spoofed emails?
Hi Brooke,
Thanks for stopping and by and for commenting.
As I said in the article, I’m not sure if reporting spoofed email has any consequence for the originator, but there are some circumstances where it might be worth your time and effort to report.
If the spoofed email contains a phishing attempt for a company (like PayPal, eBay, or a bank), you can report it to that company. They will attempt to shut down the phishing site and they maintain a record of the attempt. Search the company’s contact page or help files for how to report the email and be sure to include the complete header when you send the email.
If you can determine where the email originated, you can report it to the originating ISP. But it’s not always easy to figure out the origin and spam often originates in countries that don’t have the laws or resources to pursue the spammers. If it will bring you some personal satisfaction you might want to try to find the origin and report it, but otherwise, I don’t know if it’s worth the time.
I am wondering, if I should get a spam spoofed e-mail, if I report it, will I get in trouble because my e-mail address is in the from field or not?
Hi Robert,
As long as you are sending the full email header when you report the email, the company you are reporting to will be able to determine where it originated. And you can also include a note with your report saying that it is spoofed email. Of course, before you send it, you want to assure yourself that it is a spoofed message and that your email hasn’t been hacked.
To retrieve and send the full header of a message you may need to change a setting in your email client and copy and paste the header into your report.
I’ve had a spammer using my e-mail address over and over again for their mass mailings, as every few days I get a huge influx of returned e-mails to my e-mail address. I wish this person would just move on and use someone else’s information, but I’m pretty sure this is vengance spam after I filed a complaint with paypal about a company in China for offering a fraudulent product/service.
When this happens, obviously they have to specify an e-mail address (assuming it’s not random) when they send their junk mail out. I also know that companies out there buy email address lists. Is there any chance that some how a list has been sold to a company specifying that for some reason my e-mail would be a good one to put in the return-to field, or should I just assume it’s just one person using my email over and over again to send their shady advertisements with 2nd grader spelling?
Hi Justin,
I’m sorry you’re having a problem with spammer… I’ve had that happen to me and it’s so disheartening to open your email and see all those bounced messages!
The good news is that the spammers very often do move on, so unless it’s been happening for more than a couple of weeks, you may be able to just wait it out. It can take several days for bounced email messages to make their way back to you, so again, depending on how long it’s been, it could be all from one or two mass mailings.
If the email address being spoofed is one of the major ISPs like Comcast or AOL, search their help sections for what to do. Some ISPs will help you out with the problem.
If the bounced email messages contain the full header of the original email you can probably figure out if it’s all one source. Use the methods described in the post above to determine the origin. Be sure you’re looking at the originating email header and not the header from the ISP informing you of the bounced message. (I’ve been confused before and very thoroughly researched the ISP that bounced the message. But you’re probably not as easily confused as I. LOL!)
First, determine if it’s originating from your own account. If so, it means someone hacked in to your email account and is using it to send the messages. If so, report it to the company that provides your service and follow their instructions.
Look at several bounced messages to see if they all start in the same place and it’s just one person, or if there are several different origins your address may have been added to a list. Also, if the email address is a common word or your name, it may be a dictionary attack (spammers use scripts to generate thousands of email addresses from common words and names).
When you see where it’s coming from, don’t automatically conclude that the originating server is the culprit. The spammer may have hacked into someone’s server to send the email so there may be another victim besides yourself.
Unfortunately, if nothing else works and the bounced messages don’t stop, you may have to change your email address and delete the spoofed one.
I hope you get it resolved soon!