Has my email been compromised or am I being spoofed?
Have you ever found yourself in this situation?
You log into your email account one day and find a lot of undeliverable bounce back emails sitting in your inbox. You didn’t send the emails that generated them, and people are complaining about the spam you are sending from your account. Has someone hacked into your account? Are you being spoofed?
So what do you do?
The first thing you want to do is determine whether your account has been compromised by a virus, malware, or a spammer, or if you are just being spoofed.
How to know if your email account has been compromised.
This can be determined by taking a look at the email headers. If you’re not comfortable with this, please contact your support team and they can take a look for you. If you are familiar with headers, please refer to the additional information at the bottom of this article.
If your email account has been compromised, you should run a full system virus scan on your computer and then reset your email password. Changing your email password will cut off any connection a third party may have to your email account.
If your account has not been compromised, then you are being spoofed.
What is email spoofing?
Email spoofing is when the sender of an email, typically spam, forges (spoofs) the email header “From” address so the email being sent appears to have been sent from a legitimate email address that is not the spammers own address.
They do this for a couple of reasons:
- To trick spam filters into allowing the email through by using a reputable email address. This would be one way your friends and family would see spam emails from you in their Inbox, rather than their spam folder.
- To prevent the bounce back emails from being received in the spammer’s own inbox. Spammers may send their spam out to thousands of email addresses, and inevitably a lot of those emails are going to bounce. Since spammers don’t want to receive hundreds of bounce back messages, this prevents that from happening.
Email spoofing is more common with email accounts that are not actively used. If the account is used on a daily basis, there’s a higher chance that your account might have been compromised by malware or a virus.
While there is no fool-proof way to prevent either type of abuse to your email address, you could adopt some “best practices” when it comes to your email security:
- Change your password frequently.
- Always run full virus scans on your computer (at least once a week).
- Avoid including your email address in online blogs and posts. Try using (at) and (dot)com instead of @ and .com to prevent malicious automations from harvesting your address.
- Avoid using your primary email account for everything online. If you are signing up for something like a mailing list, contest, application form, or something similar, use a free throwaway email account like Gmail or Hotmail, something you don’t mind deleting if it gets abused.
- Only use your primary email to communicate with people you know or trust.
What can you do to about email spoofing?
The short answer is, not much. There are no definitive ways to prevent someone from harvesting your email address from the internet somewhere and using it for spam.
Here are a few places spammers may acquire your email address. There are programs and software designed to do nothing else but scavenge the internet for email addresses:
- On a website contact page
- Domain WHOIS records (We offer WHOIS privacy on all domains).
- Mailing lists. Some of them are legitimate, but others may sell your information
- Anything you post online with your email address in it.
- One of your contact’s computers may become compromised and your information is taken from their contact list
If the spoofing is recurring and causing a lot of inconvenience, the best thing to do would be to delete the account and start over with a new email account.
Here is some more technical information about headers & spoofing.
What to look for in Email Headers to determine if your account has been compromised. In the headers, you should be looking for something like this:
Received: from [126.96.36.199] (188.8.131.52.servername.com [184.108.40.206])
(Authenticated sender: email@example.com)
by something.servername.com (Postfix) with ESMTPA;
Fri, 4 Jul 2014 19:28:23 +0000 (UTC)
This is just an example using fake information, but the key thing to note here is “Authenticated sender”. This means the email was sent after authenticating the sender by means of username and password, therefore, it was actually send through the outgoing mail servers using the email account login credentials. This is when you should run a full system virus scan and change your password as mentioned above.