Information Services

Forged emails

Somebody's sending out mail from my address. Has my account been broken into?

No. (Or, rather, probably not.)

There is, in general, nothing to stop you, or anybody else, from putting whatever email address and "real name" information you like into the headers of email you send.

Ever get an account with an email provider, and set up your mail client (Outlook, for example) to work with it? You are asked various questions about your email account: what machine to connect to to retrieve your mail from, what machine to send your mail out through (SMTP server), etc, and, most pertinently in this case, what the email address associated with the account is. This is so your mail client knows what address to insert into any messages you send from that account. If you give the right address then replies will go back to the right account, but there is usually nothing to stop you giving any address you like. The same goes for spammers when they send spam, and for viruses when they send copies of themselves out.

So when you get a spam, the apparent sender address, if it actually exists, is probably that of some innocent person who didn't have anything to do with it. And if you get a spam purporting to come from yourself, or a bounce message caused by such a spam being sent elsewhere, this does not indicate that your account has been broken into or that your machine has been hacked.

So what's to stop me forging email?

The temptation might be there for some, and if it's so easy to do why not? From: headers may be easy to forge, but there are other headers in email, usually not shown to you by your mail client, which trace the origin of a message and where it's been. A careful scrutiny of these headers, plus access to the logs on the mail systems where the message has been, can track down who really sent a message, regardless of what has been inserted into the From: header. Sending out mail from an address that does not belong to you would be regarded as network abuse and treated accordingly. If University equipment were used, it would be a breach of the Computing Regulations.

So it would be as easy, and as unacceptable, as signing somebody else's name at the bottom of a letter written by you. Except that it's in the case of a forged email easier to track down the real sender.