Helping people with computers... one answer at a time.

An email address isn't the same as an email account. It's trivial to send email "From:" an email address without access to the account.

OK, I know that spammers can send email spoofing the "From:" address to make it look like it came from me. But how? How do they gain access to my account to do that?

First let me be very clear: they don't have to have access to your account. In fact, 99.99% of the time they don't. 99.99% of the time it has nothing at all to do with your account, and your account is quite safe.

They only need your email address.

And this is the concept that's fairly difficult for most folks to grasp: while your email account and your email address are related, they are not necessarily the same thing.

Let me say that again: your email address is one thing, and your email account is another.

I know, that's not at all obvious, but I'll try to explain a little more clearly.

  • Your email account is what you use to login and gain access to the email you've received. In most cases, it's also what you use to login in order to be able to send email.

  • Your email address is the information that allows the email system to route messages to your inbox.

The two are related, only to the extent that email routed to you using your email address is placed into the inbox accessed by your email account.

And that's the only required relationship.

The reason that it gets very confusing very quickly is that many email services use your email address as your username to login to your email account, so it's difficult to see that there could be a difference.

One big example is MSN Live Hotmail. When you login to your Hotmail account, you typically use your Hotmail email address to do so. It seems like they are one in the same. They're not.

A different example might be an approach I've seen some ISPs use. They might assign you an obscure account name consisting of a series of letters and numbers, like perhaps "res123456", and then associated with that account are one or occasionally even more email addresses. So you might login to your account using "r123456" and a password, and you would receive the email that was associated with all the email addresses associated with that account.

Sending email is another matter entirely, and here's where you'll start to see how spammers can get away with what they do.

Let's take a quick look at how you create an account in an email program like Microsoft's Outlook Express. When you add a new mail account you provide several pieces of information:

Outlook Express New Mail Account - Step 1: Your Name

You start with the display name. All this is used for is as the name that's displayed on the "From:" line in emails you send. Normally you would want this to be your own name, but in reality it can be whatever you like.

Outlook Express New Mail Account - Step 2: Your Email Address

Next we have the email address. Once again, the email address you specify is only used to populate the "From:" line of email you send. Can you guess where this is going? It can be whatever you want! Normally, of course, you would want it to be your own email address, so that when people reply to your email that reply is sent to you. But in reality this can be anything.

"... the email address you specify is only used to populate the 'From:' line..."

It's not until a later screen in the account setup wizard that you separately specify the actual account name and password you'll need to login to your mail server to send and receive your email.

So here's the key: to send email appearing to be from someone else, all you need to do is create an email account in your favorite email program using your own email account information, but specifying someone else's email address.

OK, there are a few "gotcha's" you should be aware of.

  • Your email program might not support it. As I mentioned, Hotmail doesn't really make a distinction between email address and email account, and you have no direct access to change the "From:" address when you use Hotmail. Other programs and services may also vary in this regard. That doesn't mean someone else can't specify your email address in email they send by some other means; it just means you can't use your email account with, say, Hotmail to do this kind of spoofing yourself.

  • It might not work. Some ISPs check the "From:" address on outgoing email to make sure that it's not been spoofed. Unfortunately with the proliferation of custom domains this approach is falling out of favor. For example, I might want to use the email account I have with my ISP to send email "From:" my pugetsoundsoftware.com email address. The ISP has no way to know whether that's a legitimate thing, or whether I'm a spammer spoofing that "From:" line. (And it's one reason I left my then ISP some years ago - they provided me no way to do what I needed.)

  • It's not anonymous. Yes, you can set the "From:" field to whatever you like, but you should be aware that other email headers that you normally don't see may still identify the account you used to login when you sent the email.

  • Spammers don't need an account. One of the characteristics of so called "botnets" or "zombies" is that they act not like mail clients (Outlook Express, Thunderbird and so on) but more like full-fledged mail servers. They bypass the need to login completely by attempting to deliver email directly to the recipient's email server. In this case it's pretty close to being anonymous, as the spam is exceedingly difficult to trace back to its origin.

I know this is complicated and difficult to explain. If there's one thing to walk away with understanding it's simply this: there's nothing "special" about the "From:" address. It's just another field, not unlike the "To:" field, that can be set to any value you like. By convention - and sometimes automatically - we set it to our own email address when we send mail so that we get any responses, but there's nothing that says it has to be that way.

And there's nothing that forces it to be that way.

Similarly, since it's just a setting on outgoing email, seeing a particular "From:" address doesn't imply any relationship to the actual account that would receive email that is sent to that address. Spammers don't need access to the account to make it appear in a "From:" line - all they needed to do was effectively to type it in the "From:" line. Nothing more.

Article C3370 - May 4, 2008 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

13 Comments
Ken B
May 5, 2008 8:46 AM

Think of the "from" line of an e-mail as nothing more than the return address on a snail-mail envelope. Nothing stops me from writing someone else's name and address, and the mail will still go through.

Alex
August 16, 2008 3:25 AM

Your blog is interesting!

Keep up the good work!

John Sinclair
November 10, 2008 5:35 PM

Presumably this means I should be careful about adding such spam emails to my spam filter's list of spam addresses. I do occasionally send emails to myself, and I don't want to block these.

Alma van der Poel
December 14, 2008 1:40 PM

I get high importance mail from my self, stating "Delivery Status Notification (Failure)" the picture then advertise medicene and link takes me to Canadian Pharmacy. How do I prevent the spamers from doing it to me and how do I stop it?

Kelly Brown
June 12, 2009 5:49 PM

The best information i have found exactly here. Keep going Thank you

JaneRadriges
June 13, 2009 6:07 PM

The best information i have found exactly here. Keep going Thank you

Michiibelle
September 27, 2009 4:29 PM

OK, so I completely understand that anyone can write anything in the "from" line, what I need to know is HOW do I block them when the from is my own address that they put in, and not theirs? I send myself emails all the time so I can print on another level of my home (to another imac) so I don't want to block myself, What I'd like to know is HOW do I find their email? who it REALLY came from and block them and or track them down? I sooo wish I had a program to automatically extract the person's address and spam them 1000 times over. Anyone write this yet?

You can't. That's the whole point.
Leo
28-Sep-2009

Kathleen
September 3, 2010 4:08 PM

Thank You, Leo! Your explanation was clear.
People that are in MY address book are being sent these emails in batch mode/CC.

Question:
1. Without my password to my account, how do they get access to MY email address list? Some of these addresses are ancient, yet still good.
It is especially annoying to find that these 'addresses' and the tag I gave them are being sent to multiple people. I always use BCC to avoid 'giving out' addresses, which I consider common courtesy, and hopefully avoids the violation of identity of sorts. I feel like a leper now!
2. When can I hope for this to end? I'm deleting 70 or so notifications daily - in addition to knowing it's still happening - someone is monitoring this for me.
3. What Email software would you recommend? Or simply avoid HotMail?

Please shorten as necessary.
Thank you

1) They can't. It's more likely that your account has been hacked and they have your password. Check this article: Someone's sending email that looks like it's from me to my contacts, what can I do? (Remember that you need to change much more than your password to regain/retain control.)

2) You need to regain control of your account first. change your password and everything else.

3) Email software is different from am email service. EMail software: I like Thunderbird. As for email services I avoid free, recommend those with customer service, but if you must go free: Gmail.
Leo
04-Sep-2010

Giorgio
November 11, 2010 8:07 AM

In order to completely avoid spammers to send email that looks like you it requires a big improvement over the actual mail protocol.
In Italy (the land of the spoofers) they came out with a new mail protocol called certified mail you can read more about it here:

www.openpec.org/eng/index.shtml

This new protocol does not allow spoofing anymore. Unfortunately it's something that has been adopted only in Italy so far, and I wonder if anyone else in the world will ever feel the need for this. The protocol must be adopted on both sides to work.

I'm actually working for a company that sells this so called certified mail: Poste-Certificate.it - PEC aziende It's interesting, but very burocratic as everything here.

Mike Castro
May 3, 2011 9:14 AM

Hi Leo, what you say is dead on. I get emails to my Spamfighter box all the time which are so called "returns" to me i.e. bounce backs, however I did not send them. As an experiment I set up a "spoof" account on my Thunderbird programme. I used a legit AOL account belonging to me and used a totally false name. I then sent myself an email and sure enough, I got the false name and my AOL email account. The only problem is the ones I get on my Thunderbird programme often end up in the Spamfighter box. Does this mean that my address is being blocked by Spamfighter ?

Carlos R Coquet
June 2, 2011 8:40 PM

While on the subject of spammers, be very wary of sites offering to eMail something to some third party. You have no idea of what they are going to do with that eMail address. Even if the site does not sell these addresses to spammers, they may save the addresses and a spammer hacking into their site may get them. Another category of possible spammer farms is that of sending greeting cards. Your are virtually giving them your address book. What will they do with it?? THINK BEFORE YOU DO IT!!!

prabhakar hamigi
November 30, 2011 10:56 PM

I went thr' the article as i am one of the victims of this.I am really worried now as to how to stop this.One thing i noticed is that it sends mail only when i log on using my home wi fi.However ( as i gather from the answers) i try changing all the details in my account.

Dave Hickman
February 13, 2013 1:14 AM

Hi,
there is currently no way to stop "spoofing". I have a custom domain name and the spoofer just prefixes my domain name with a random alpha-numeric string and churns out email. No check is ever made to see if this "spoof" address is valid, by that I mean is it a real account that I personally have created for my own use. Whilst this continues to be the case then we are all just victims. In this day and age the corrective measures are not technically challenging to implement but it seems that the technical will to do so isn't there.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.