Helping people with computers... one answer at a time.
An email address isn't the same as an email account. It's trivial to send email "From:" an email address without access to the account.
OK, I know that spammers can send email spoofing the "From:" address to make it look like it came from me. But how? How do they gain access to my account to do that?
First let me be very clear: they don't have to have access to your account. In fact, 99.99% of the time they don't. 99.99% of the time it has nothing at all to do with your account, and your account is quite safe.
They only need your email address.
And this is the concept that's fairly difficult for most folks to grasp: while your email account and your email address are related, they are not necessarily the same thing.
Let me say that again: your email address is one thing, and your email account is another.
I know, that's not at all obvious, but I'll try to explain a little more clearly.
Your email account is what you use to login and gain access to the email you've received. In most cases, it's also what you use to login in order to be able to send email.
Your email address is the information that allows the email system to route messages to your inbox.
The two are related, only to the extent that email routed to you using your email address is placed into the inbox accessed by your email account.
And that's the only required relationship.
The reason that it gets very confusing very quickly is that many email services use your email address as your username to login to your email account, so it's difficult to see that there could be a difference.
One big example is MSN Live Hotmail. When you login to your Hotmail account, you typically use your Hotmail email address to do so. It seems like they are one in the same. They're not.
A different example might be an approach I've seen some ISPs use. They might assign you an obscure account name consisting of a series of letters and numbers, like perhaps "res123456", and then associated with that account are one or occasionally even more email addresses. So you might login to your account using "r123456" and a password, and you would receive the email that was associated with all the email addresses associated with that account.
Sending email is another matter entirely, and here's where you'll start to see how spammers can get away with what they do.
Let's take a quick look at how you create an account in an email program like Microsoft's Outlook Express. When you add a new mail account you provide several pieces of information:
You start with the display name. All this is used for is as the name that's displayed on the "From:" line in emails you send. Normally you would want this to be your own name, but in reality it can be whatever you like.
Next we have the email address. Once again, the email address you specify is only used to populate the "From:" line of email you send. Can you guess where this is going? It can be whatever you want! Normally, of course, you would want it to be your own email address, so that when people reply to your email that reply is sent to you. But in reality this can be anything.
It's not until a later screen in the account setup wizard that you separately specify the actual account name and password you'll need to login to your mail server to send and receive your email.
So here's the key: to send email appearing to be from someone else, all you need to do is create an email account in your favorite email program using your own email account information, but specifying someone else's email address.
OK, there are a few "gotcha's" you should be aware of.
Your email program might not support it. As I mentioned, Hotmail doesn't really make a distinction between email address and email account, and you have no direct access to change the "From:" address when you use Hotmail. Other programs and services may also vary in this regard. That doesn't mean someone else can't specify your email address in email they send by some other means; it just means you can't use your email account with, say, Hotmail to do this kind of spoofing yourself.
It might not work. Some ISPs check the "From:" address on outgoing email to make sure that it's not been spoofed. Unfortunately with the proliferation of custom domains this approach is falling out of favor. For example, I might want to use the email account I have with my ISP to send email "From:" my pugetsoundsoftware.com email address. The ISP has no way to know whether that's a legitimate thing, or whether I'm a spammer spoofing that "From:" line. (And it's one reason I left my then ISP some years ago - they provided me no way to do what I needed.)
It's not anonymous. Yes, you can set the "From:" field to whatever you like, but you should be aware that other email headers that you normally don't see may still identify the account you used to login when you sent the email.
Spammers don't need an account. One of the characteristics of so called "botnets" or "zombies" is that they act not like mail clients (Outlook Express, Thunderbird and so on) but more like full-fledged mail servers. They bypass the need to login completely by attempting to deliver email directly to the recipient's email server. In this case it's pretty close to being anonymous, as the spam is exceedingly difficult to trace back to its origin.
I know this is complicated and difficult to explain. If there's one thing to walk away with understanding it's simply this: there's nothing "special" about the "From:" address. It's just another field, not unlike the "To:" field, that can be set to any value you like. By convention - and sometimes automatically - we set it to our own email address when we send mail so that we get any responses, but there's nothing that says it has to be that way.
And there's nothing that forces it to be that way.
Similarly, since it's just a setting on outgoing email, seeing a particular "From:" address doesn't imply any relationship to the actual account that would receive email that is sent to that address. Spammers don't need access to the account to make it appear in a "From:" line - all they needed to do was effectively to type it in the "From:" line. Nothing more.