E-mail Header Spoofing Information

Email Headers Spoofed/Forged?

As with any other Email Service in the Internet, SPAM (Unsolicited Commercial Email) is affecting IEEE members using the IEEE e-mail alias service. As SPAM (junk or unsolicited e-mail) continues to increase, IEEE members and staff are seeing that the To: and From: email header fields on some of their messages are being changed (or spoofed).

 Spammers and worms/viruses are capable of sending email messages to an email recipient where the From: address appears to be someone the email recipient knows or from someone appearing to be sending the message from a server within the IEEE domain (i.e., somebody@ieee.org). The reality is that these messages are originating from unknown locations in the Internet. Also Spammers and worms/viruses can change the To: address and in some cases no even include the To: address in their messages. Now the question is How can this happen?

 The purpose of this document is to explain who the email headers can be changed (or spoofed).

Envelope Address vs. Message Header Address

An analogy between electronic mail and U.S. Mail is helpful in understanding the distinction between the envelope address and the message header address. In order to send a letter via U.S. Mail, the sender needs an envelope, the address information of the intended recipient, and the content (letter, bill, note, etc) that will be mailed to the recipient.

 The sender prints the address of the intended recipient on the envelope, but the recipient address often appears in the text of the letter or contents inside the envelope (e.g. legal/formal letter, or bill) The recipient’s address printed on the envelope is what allows the letter/content to be delivered to the recipient’s house or office, not the address printed on letter/message inside the envelope. In theory, the recipient’s address in the letter/content could be totally different from the recipient’s address printed on the envelope, but the letter/content would still be delivered. This also applies to the sender's address since it can appear on both the envelope and on the letter/content inside the envelope.

 Like U.S. Mail, Electronic mail has two sets of addresses. Email has an envelope address that is used to actually deliver email to the correct person. Email users do not see this envelope address information when email messages are received, even if they look at the full-headers. The envelope address is used by programs on the email servers that actually direct the email for delivery into individual email accounts.

 Just as there is an address as part of the text of a letter inside a U.S. mail envelope, email has a second set of addresses in the header of the email message. These are the addresses that email users normally see in the To: and From: headers of an email message.  As with the U.S. Mail, these addresses need not be correct for the message to be delivered. In fact, senders can make these addresses to be anything they wish.

 The addresses used during the delivery process (envelope addresses) do NOT have to be the same as in the message header. This is especially important to remember when viewing SPAM.The To: and From: headers on SPAM messages are usually meaningless.

In a Nutshell

1. The ENVELOPE address cannot be spoofed. This address is used to deliver email to a recipient.
2. The address in the message HEADERS can be spoofed. The email addresses that appear in the To: and From: message headers are NOT the addresses used in the delivery of the message.
3. When reading an email message users can view the address in the message HEADERS, but users cannot see the ENVELOPE address.