You have, in short, been spoofed.

In general spoofing can take the form of email spoofing or IP spoofing. Email spoofing is the act of forging an email header to make it appear as if the message came from somewhere or someone other than the actual source. IP spoofing, also called “Joe-job spam, is a technique used to gain unauthorized access to computers where a hacker finds an IP address of a trusted host and then makes modifications to make it appear as if the information they are sending out is coming from that host.

Most of us only notice email spoofing when we are the victims of it, and even then only if someone who’s been contacted using a spoofed email address has responded to an erroneous message.

There are several ways an email address can be spoofed.

Deliberately

It’s simple enough to make an email message appear, on the surface, as if its from any email address. All one has to do is simply change the “reply to” email address field in their email client to some other email address.

“It is very simple to do,” said Jeff Jones, regional director for Trust CC’s Spokane office. Trust CC is an information technology security firm and a sponsor of the West Sound Technology Professionals Association.

“In addition,” Jones continued, “misconfigured email servers may allow unauthorized individuals to create email with an altered ‘mail from’ field.”

According to Jim Kendall of Telebyte Northwest Internet Services, there are occasionally some cases of hackers or spammers deliberately using email addresses of individuals who have been actively fighting against these activities. But, he said, this is relatively rare.

“In my experience it’s more coincidence than anything else,” he said.

Coincidentally

It’s a relatively simple matter to buy software programs that will automatically collect both IP and email addresses for use in spamming and other illegal online activities. The vast majority of email address spoofing comes from these random collections of information. The clear intent, agree Jones and Kendall, is for phishers and spammers to disguise the true source of an email message that’s being sent.

In many cases, a spoofed email address will not be a legitimate email address at all. The spoofer will use IP spoofing to make an email appear that it is coming from a legitimate domain. An added bonus for the spoofer, and an added headache for the ISP that’s the victim of spoofing, is that all the email bounces will come back to the spoofed ISP, causing potentially serious network issues.

“It diverts any issues from the actual ISP,” said Kendall.

Virally

There are a number of viruses floating around the Internet that, when opened, will access the infected computer’s email address book and perpetrate itself by sending emails out both to and from the email addresses listed in the address book. Recipients of these messages are often duped into opening the virus attachment, since it appears to be coming from someone they know. While not technically spoofing, it can have a similar effect on ISPs when it comes to traffic overload.

So who is doing all of this?

“It really is the criminal element,” said Kendall.

“Most email spoofing is being perpetrated these days by phishers and spammers,” said Jones. “Phishers for the purpose of duping the recipient into thinking it came from someone else, spammers in an effort to remain anonymous.”

Unfortunately there’s not much that can be done to protect email and IP addresses from this kind of hijacking.

“There’s no way to prevent it,” said Kendall.

“It’s not actually possible to prevent someone else from spoofing one’s own email address,” said Jones. “There are ways in which you can sign an email with a digital signature such that recipients of email from you can verify that they actually came from you. That way spoofed email would not contain the digital signature, and recipients that knew to check for that feature would know that it was not legitimate.”

There are ways, however, to discover where the email really came from.

“If you get spam or a phishing email you have to look at the headers to look at where it actually came from,” said Kendall. This requires taking some steps within your email software application to reveal the email message’s full header, but if done correctly the header will show every server the email touched before it arrived in your inbox.

“Of course, he continued, “The only one you really know is legitimate is the last server before it got to you.” This is because phishers and spammers will frequently forge the header information, as well, to make it more difficult to track them down.

Even though the chances are slim that the person who sent you that message from a fake email address, or the person who spoofed your email address, will ever be found, there are steps you can take to remedy the situation after its happened.

Alert your ISP. Contact the abuse desk for your ISP and alert them to what’s happened. You will need to send them the email message with the full header. If you aren’t sure how to view the header, your ISP or company IT professionals should be able to walk you through the correct steps.

Your ISP may suspend your account temporarily while it investigates the situation. Some larger ISPs have automated systems to detect likely spoofing and there are ways that ISPs can stop erroneous bounced messages from flooding your inbox and possibly shutting your account down.

Contact the ISP it came from. Get in touch with the ISP that runs the last server the message passed through before it arrived in your inbox and complain.

Hide your email address. To help protect yourself in the future consider keeping your email address off of Web sites and chat rooms. According to Kendall, 90 percent of the email addresses that spammers use for their mailing lists are collected by email harvesting programs that roam the Web looking for addresses.

Kendall suggested using other ways to enable email contact from your site, such as a contact form, as a harvester can collect your email address almost as soon as it’s been posted online.

“It can be within seconds, literally,” he said.