How to identify "spoofed" e-mail.
Editor's note: To read the complete explanation of how Slate was duped by an e-mail spoofer, see this "Press Box" column.
After my wife cast her ballot on the morning of Election Day 1996, she arrived at work to find an e-mail from none other than the president of the United States (email@example.com). He thanked her for her vote and promised to address her hot-button issues of education and women's rights. She was a little disturbed, but as it turned out the sanctity of her secret ballot hadn't been compromised. Someone (her husband) had merely sent her a spoofed e-mail.
E-mail is considered "spoofed" when the e-mail address in the "From" field is not that of the sender. As Slate learned so publicly last week, believing what you read in spoofed e-mail can cause huge embarrassment, so if you receive an e-mail from George W. Bush or a man purporting to be an executive of a European carmaker, trust us: It might not be on the level. The bad news is that it's not very hard to spoof e-mail, but the good news is that it can usually be detected. To detect spoofed e-mail (and boy, do Slate's editors wish I'd written this piece last month!) you need to understand how e-mail is sent on the Internet.
- First, your e-mail program (e.g., Outlook, Eudora, Hotmail) sends mail to an SMTP (Simple Mail Transport Protocol) server, a computer that understands how to relay your e-mail
- from SMTP server to SMTP server across the Internet, until
- it arrives at its penultimate destination, the recipient's mailbox. The mailbox stores this e-mail until
- finally it's fetched by an e-mail program, so its recipient can read it.
Like a well-paid courier, SMTP just passes along what it was given. I tell Outlook my e-mail address, but neither it nor the SMTP server provided by my Internet service provider has any way to verify that it's true. Just this minute, I changed my Outlook settings to say that my name is Mork, e-mail address firstname.lastname@example.org, and Outlook happily sent more mail to my wife, who is tiring of my little shenanigans. ISPs smarter than mine configure their mail servers to be more restrictive about the e-mail they'll accept, attempting to verify the veracity of the sender's address, but a determined spoofer usually knows how insert e-mail further along the transmission chain.
Every e-mail contains a hidden component known as a "header" that details its transmission history. By viewing the header and doing a little detective work you can usually spot the telltale signs of spoofed e-mail. Investigating suspicious e-mail is a relatively technical process. To do so, check the headers:
- In Outlook, select View/Options.
- In Outlook Express, select Properties/Details.
- In Pine, type H.
- In Eudora, click on the "Blah Blah Blah" button (I love that).
- In Hotmail go to Options/Mail Display Settings/Message Headers and select "Full."
- In Netscape, select View/Headers/All.
- In Yahoo! Mail select "Full Headers."
- See the help file of e-mail programs not mentioned here and look up "headers."
At first glance headers looks like gobbledygook, but in time … no, it will always look like gobbledygook. You just have to tough it out.
The first thing to check is the From field, which will look like one of these:
From: George W. Bush (email@example.com)
From: firstname.lastname@example.org (George W. Bush)
From: George W. Bush
Look for a discontinuity between the friendly name and the e-mail name. If the friendly name is "George W. Bush" but the e-mail address is email@example.com, or if the e-mail name is missing entirely, the e-mail may be spoofed. But a sophisticated spoofer won't make this simple mistake.