E-Mail Impersonator.

E-Mail Impersonator.

E-Mail Impersonator.

Inside the Internet.
March 12 2002 7:46 PM

E-Mail Impersonators

How to identify "spoofed" e-mail.

Editor's note: To read the complete explanation of how Slate was duped by an e-mail spoofer, see this "Press Box" column.

After my wife cast her ballot on the morning of Election Day 1996, she arrived at work to find an e-mail from none other than the president of the United States (president@whitehouse.gov). He thanked her for her vote and promised to address her hot-button issues of education and women's rights. She was a little disturbed, but as it turned out the sanctity of her secret ballot hadn't been compromised. Someone (her husband) had merely sent her a spoofed e-mail.

E-mail is considered "spoofed" when the e-mail address in the "From" field is not that of the sender. As Slate learned so publicly last week, believing what you read in spoofed e-mail can cause huge embarrassment, so if you receive an e-mail from George W. Bush or a man purporting to be an executive of a European carmaker, trust us: It might not be on the level. The bad news is that it's not very hard to spoof e-mail, but the good news is that it can usually be detected. To detect spoofed e-mail (and boy, do Slate's editors wish I'd written this piece last month!) you need to understand how e-mail is sent on the Internet.

  1. First, your e-mail program (e.g., Outlook, Eudora, Hotmail) sends mail to an SMTP (Simple Mail Transport Protocol) server, a computer that understands how to relay your e-mail
  2. from SMTP server to SMTP server across the Internet, until
  3. it arrives at its penultimate destination, the recipient's mailbox. The mailbox stores this e-mail until
  4. finally it's fetched by an e-mail program, so its recipient can read it.


Like a well-paid courier, SMTP just passes along what it was given. I tell Outlook my e-mail address, but neither it nor the SMTP server provided by my Internet service provider has any way to verify that it's true. Just this minute, I changed my Outlook settings to say that my name is Mork, e-mail address mork@ork.planet, and Outlook happily sent more mail to my wife, who is tiring of my little shenanigans. ISPs smarter than mine configure their mail servers to be more restrictive about the e-mail they'll accept, attempting to verify the veracity of the sender's address, but a determined spoofer usually knows how insert e-mail further along the transmission chain.

Every e-mail contains a hidden component known as a "header" that details its transmission history. By viewing the header and doing a little detective work you can usually spot the telltale signs of spoofed e-mail. Investigating suspicious e-mail is a relatively technical process. To do so, check the headers:

  • In Outlook, select View/Options.
  • In Outlook Express, select Properties/Details.
  • In Pine, type H.
  • In Eudora, click on the "Blah Blah Blah" button (I love that).
  • In Hotmail go to Options/Mail Display Settings/Message Headers and select "Full."
  • In Netscape, select View/Headers/All.
  • In Yahoo! Mail select "Full Headers."
  • See the help file of e-mail programs not mentioned here and look up "headers."

At first glance headers looks like gobbledygook, but in time … no, it will always look like gobbledygook. You just have to tough it out.

The first thing to check is the From field, which will look like one of these:

From: George W. Bush (president@whitehouse.gov

From: president@whitehouse.gov (George W. Bush)

From: George W. Bush

Look for a discontinuity between the friendly name and the e-mail name. If the friendly name is "George W. Bush" but the e-mail address is fred@spammers.com, or if the e-mail name is missing entirely, the e-mail may be spoofed. But a sophisticated spoofer won't make this simple mistake.