Have you ever opened a spam mail, which seemed to be the sender's own email? You are not the only one.
Creating email addresses is called spoofing (forgery), is usually aimed at spam or blackmail and, unfortunately, there are few things you can do about it.
How spammers fake your email
Spoofing is the act of forging an email address so that it appears to be from someone else, rather than the person who sent it. Often, this technique is used to trick you into thinking the email came from someone you know or the business you work for, or the bank you or another financial service.
Unfortunately, email spoofing is incredibly easy. Email systems often do not have security checks to ensure that the email address you enter in the "From:" field really belongs to you. It's more or less like a letter you give in the mail. You can write anything you want in the "Sender" point, if you do not care that the post office will not be able to return the letter to you. The mail has no way of knowing if you really live at the sender's address where you indicate in the envelope.
Email spoofing works similarly. Some online services, such as Outlook.com, pay attention to the “From:” address when you send an email and can prevent you from sending something with a fake address. However, some tools allow you to fill in anything you want. It's as easy as setting up your own email server (SMTP). What spammers need is your email address, which they're likely to buy on the dark web from a hack data.
Why do scammers forge your address?
Your scammers send emails that appear to come from your address, basically for one of two reasons below. THE first reason is the hope that they will bypass spam protection. They estimate that you probably get used to sending emails to yourself, maybe to remind you of an important event, and you would not want that message to be classified as spam.
So, scammers hope that using your address, your junk mail filters will not stop their message and let it pass. There are tools to detect an email message sent by a domain other than the one that claims to be, but the email provider must implement them and, unfortunately, many do not.
Ο second reason for which scammers are falsifying your email address is to gain a sense of authenticity. It is not uncommon for a forged email to claim that your account is compromised. The fact that "you sent this e-mail" serves as proof of hacker access. They may also include a code or phone number taken from a compromised database as further evidence.
The scammer usually claims to have "spicy" information about you or pictures he took from your camera while you were browsing adult sites. It then threatens to hand over the data to your closest contacts, except if you pay a ransom. Sounds believable at first. And with a sender you seem to have access to your email account.
What e-mail services do to troubleshoot the problem
The fact that someone can spoof an email address so easily is nothing new problem. Because email providers don't want to bother you with spam, they've developed tools to combat the problem.
The first was the Sender Policy Framework ή SPF (Sender Policy Box) and works with some basic principles. Each e-mail domain is accompanied by a set of Domain Name System (DNS) system entries that are used for direct traffic to the correct server or host server. An SPF record works with the DNS record.
You may be confused, so let's just say it more simplistically. When you send an email, the download service compares your email domain (eg @ gmail.com) with the source IP and the SPF record to make sure it matches. If you send an email from a Gmail address, this email should also indicate that it is from a Gmail-controlled device.
Unfortunately, only the SPF does not solve the problem. One must keep the SPF records properly in each domain, which is not always the case. It is also easy for fraudsters to deal with this problem. When you receive an e-mail, you may only see a name instead of an e-mail address. Spammers also fill in an email address for the real name and another for the shipping address corresponding to an SPF record. So it will not go to spam.
Companies also have to decide what to do with SPF results. Most of the time, they prefer to let all emails go instead of risking not passing a critical message. The SPF does not have a relevant set of rules with what to do with the information.
To address these issues, Microsoft, Google and other major companies introduced Domain-based Message Authentication, Reporting, and Conformance or abbreviated DMARC (Message validation, reporting and domain-based). It works with the SPF to create rules on what to do with emails that are marked as potential spam.
The DMARC first checks the SPF scan. If the control fails, it does not let the message pass unless it is configured differently by an administrator. Even if an SPF passes, the DMARC checks that the email address displayed in the "From:" field corresponds to the domain from which the email is coming.
Unfortunately, even with support from Microsoft, Facebook and Google, DMARC is still not widely used. If you have an Outlook.com or Gmail.com address, you are likely to benefit from DMARC. However, until the end of 2017, only 39 from Fortune 500 had implemented this validation service.
What you can do with spam emails that come from you
Unfortunately, there is no way to prevent spammers from violating your address. Hopefully, your email system also applies SPF and DMARC, and you will not see these targeted emails in your inbox. They should go straight to Spam (Spam).
If your email account gives you control over the spam options, you can tighten the rules. Just be aware that you may also lose some genuine messages, so be sure to check the spam folder frequently.
If you get a fake message from yourself, ignore it. Do not click on attachments or links and of course do not pay the required ransom. Just mark it as spam or phishing or delete it. If you are afraid that your accounts have been compromised, close them for security.
If you use the same password as other services, change them and give each service a new unique password. If you do not trust your memory with so many passwords, just write them down in a txt file stored on your computer or use a Password manager.
And finally, depending on which email service you are using, learn how to see all the original email with all its details (headers, etc.) so you can see if it is spam or not.
