From Wikipedia, the free encyclopedia - View original article
Email spoofing is the creation of email messages with a forged sender address - something which is simple to do because the core protocols do no authentication. Spam and phishing emails typically use such spoofing to mislead the recipient about the origin of the message.
A number of measures to address spoofing are available including: SPF, Sender ID, DKIM, and DMARC. Although their use is increasing, it is likely that almost half of all domains still do not have such measures in place. However, as of 2013, 60% of consumer mailboxes worldwide use DMARC to protect themselves against direct domain spoofing and only 8.6% of emails have no form of domain authentication.
When an SMTP email is sent, the initial connection provides two pieces of address information:
Once the receiving mail server signals that it accepted these two items, the sending system sends the "DATA" command, and typically sends several header items, including:
The result is that the email recipient sees the email as having come from the address in the From: header; they may sometimes be able to find the MAIL FROM address; and if they reply to the email it will go to either the address presented in the MAIL FROM: or Reply-to: header - but none of these addresses are typically reliable.
Furthermore the mail server may not check that these domains have been registered in the DNS and are configured to receive emails. This may generate backscatter if a reply is generated.
Malware such as Klez and Sober and many more modern examples often search for email addresses within the computer they have infected, and use those addresses both as targets for email, but also to create credible forged From fields in the emails that they send, so that these emails are more likely to be opened. For example:
In this case, even if Bob's system detects the incoming mail as containing malware, he sees the source as being Charlie - while Alice remains unaware of the actual infection.
It has happened that media printed false stories based on spoofed e-mails.
In the early Internet, "legitimately spoofed" email was common. For example, a visiting user might use the local organization's SMTP server to send email from the user's foreign address. Since most servers were configured as "open relays", this was a common practice. As spam email became an annoying problem, these sorts of "legitimate" uses fell out of favor.
Traditionally, mail servers could accept a mail item, then later send a Non-Delivery Report or "bounce" message if it couldn't be delivered or had been quarantined for any reason. These would be sent to the "MAIL FROM:" aka "Return Path" address. With the massive rise in forged addresses, Best Practice is now to not generate NDRs for detected spam, viruses etc  but to reject the email during the SMTP transaction. When mail administrators fail to take this approach, their systems are guilty of sending "backscatter" emails to innocent parties - in itself a form of spam - or being used to perform "Joe job" attacks.
Mail administrators may be able to enable SSL/TLS in their mail transfer software. Using certificates in this manner increases the amount of authentication performed when sending mail.
Although email spoofing is often effective in forging the sender's real email address, the IP address source computer sending the mail can generally be identified from the "Received:" lines in the email header. In many cases this is likely to be an innocent third party infected by malware that is sending the email without the owner's knowledge.