Has Your Email Address Been Spoofed?
One of the most disheartening and most frustrating spam problems to deal with is spoofing. When a spammer puts someone else’s email address in the “reply-to” field of their spam messages, all bounced message notifications and replies to the original message will be sent to the innocent victim. Using a false or fake email header to send messages is called spoofing.
The way you find out your email address has been spoofed is when you start receiving bounced message notifications for email you didn’t send. And it’s a horrible feeling when it happens!
While there’s really nothing you can do to stop it once it happens, there are some things you can do to try and prevent it from happening in the first place. But before we get into that let me offer some words of encouragement for current victims of spoofing who are receiving countless numbers of bounced message notifications. In my experience, a spoofing attack is an isolated incident, not an endless nightmare. Spammers generally use your email address for one mass mailing and then move on to another unfortunate victim.
Read on to find out if you’ve been spoofed and learn how to prevent future attacks.
Determine the origin of the email
First you need to determine the origin of the email so you know whether you are a victim of spoofing or a victim of a hacker who who is actually sending the spam through your server. You can make that determination by looking at the header of the sent email. In most cases, the bounced email notification will include the full header from the original email. Make sure you are examining the header from the spam email… don’t make the same mistake I made by carefully examining the legitimate header for the bounce notification! 
In a spoofed email message you will find your email address in the “reply-to” field of the header. You also want to examine the “received from” lines in the header. Usually the last server the email passed through will be at the top of the list of “received from” lines and the originating server will be at the bottom of the list. Your header may vary though, so check the time stamps for each line as well. If your domain name or email server is not the originating “received from” then you know your email address has been spoofed.
You may need to do a little detective work to be able to recognize your own servers in the headers. The easiest way to find out where your own email originates is to send yourself a message and examine the headers.
If the originating email server is not your own, you have been spoofed. If you find that the email did originate on your server, then you may be the victim of a hacker and you should contact your hosting company support for help.
Be aware that some hosting companies are quick to disable hacked accounts, so be sure to always have a backup of your website (and be careful if you’re backing up a site that has already been hacked… you don’t want to end up reinstalling the hack).
Was the spam sent just to you?
Lately, I’ve been receiving just one bounced message notification for a spam message. It seems that the spammer is sending the original message just to me, with a copy to himself (for some reason I can’t figure out) and the copy to himself bounces. I figure that if a mass mailing was going out under my email address, I’d be receiving numerous bounced messages, therefore I think it’s just being sent to me. And I assume many other people are getting the same spam with their own email address spoofed.
Report the offender
This is entirely opinion based… I haven’t done any research at all on the effectiveness of reporting spoofers. I think most spammers use an email account once and then move on, so reporting them doesn’t really accomplish anything. I generally don’t have the time to report. However, if the email originated in the US, Canada, or other countries that have some anti-spam laws, and reporting the spammer would give you some satisfaction, you may want to make the effort.
Prevent future attacks
To prevent all kinds of spam, including spoofed header spam, make sure you are taking steps to protect your email address. Take a look at our Tips and Techniques Category to learn how to prevent your email address from being harvested in the first place. In particular you’ll want to look at Tips for reducing the amount of spam you receive at your business email address and Tips for reducing or eliminating spam to your personal email address.
Contact your hosting company about using the Sender Policy Framework (SPF). SPF does not prevent all spoofing, but at this point it’s really the only preventive tool available. Before implementing it on your server, be very careful to make sure you understand what it is, how it works, and where all your legitimate email originates. If it’s not properly set up, you’ll have even more problems. Get complete information at http://www.openspf.org/
If you’re domain or IP address is being blocked by spam filters
In some cases, spoofed email spam can cause you to be blacklisted by email servers. Spoofed email should not cause you to be listed on the major spam organizations’ blacklists, because they should be looking at the headers for reported email and seeing that it didn’t originate from you. Unfortunately, some blacklists and particularly some ISPs will blacklist you if enough members complain that your domain or email server is sending spam.
For help addressing the problem, visit Black List Monitoring. You’ll need to determine where your email is being blocked and find out how to request removal from that list.