||This article needs additional citations for verification. (September 2009)|
||This article may contain parts that are misleading. (August 2012)|
Email spoofing is email activity in which the sender address and other parts of the email header are altered to appear as though the email originated from a different source. Because core SMTP doesn't provide any authentication, it is easy to impersonate and forge emails.
Technical detail 
By altering an email's identifying fields, such as the From, Return-Path and Reply-To (which can be found in the message header), emails can be made to appear to be from someone other than the actual sender.
Occasionally (especially if the spam requires a reply from the recipient, as in advance-fee frauds), the source of the spam email is indicated in the Reply-To field (or at least a way of identifying the spammer); if this is the case and the initial email is replied to, the delivery will be sent to the address specified in the Reply-To field, which could be the spammer's address. However, most spam emails (especially malicious ones with a trojan/virus payload, or those advertising a web site) forge this address too, and replying to it will annoy an innocent third party.
Prior to the advent of unsolicited commercial email (spam) as a viable business model, "legitimately spoofed" email was common. For example, a visiting user might use the local organization's SMTP server to send email from the user's foreign address. Since most servers were configured as open relays, this was a common practice. As spam email became an annoying problem, most of these "legitimate" uses fell victim to antispam techniques.
It is much more difficult to spoof or hide the IP or Internet Protocol address. The IP address is a 32 or 128 bit numerical label assigned to each device participating in a network and originates through the network provider making it more difficult to spoof or hide. Although this kind of verification is difficult for individual users, companies can use this technology as well as others such as cryptographic signatures (e.g., PGP "Pretty Good Privacy" or other encryption technologies) to exchange authenticated email messages. Authenticated email provides a mechanism for ensuring that messages are from whom they appear to be, as well as ensuring that the message has not been altered in transit. Similarly, sites may wish to consider enabling SSL/TLS in their mail transfer software. Using certificates in this manner increases the amount of authentication performed when sending mail.
||This section may stray from the topic of the article.|
Because many spammers now use special software to create random sender addresses, even if the user finds the origin of the email it is unlikely that the email address will be active.
The technique is now used ubiquitously by bulk email software as a means of concealing the origin of the propagation. On infection, worms, such as ILOVEYOU, Klez and Sober, will often try to perform searches for email addresses within the address book of a mail client, and use those addresses in the From field of emails that they send, so that these emails appear to have been sent by the third party. For example:
- Alice is sent an infected email and then the email is opened, triggering propagation.
- The worm finds the addresses of Bob and Charlie within Alice's address book.
- From Alice's computer, the worm sends an infected email to Bob, but the email appears to have been sent by Charlie.
This can be particularly problematic in a corporate setting, where email is sent to organisations with content filtering gateways in place. These gateways are often configured with default rules that send reply notices for messages that get blocked, so the example is often followed by:
- Bob doesn't receive the message, but instead gets a message telling him that a virus sent to him has been blocked. Charlie receives a message telling him that a virus sent by him has been blocked. This creates confusion for both Bob and Charlie, while Alice remains unaware of the actual infection.
Newer variants of these worms have built on this technique by randomising all or part of the email address. A worm can employ various methods to achieve this, including:
- Random letter generation
- Built-in wordlists
- Amalgamating addresses found in address books, for example:
- User1 triggers an email address spoofing worm, and the worm finds the addresses firstname.lastname@example.org, email@example.com and firstname.lastname@example.org within the users email address book
- The worm sends an infected message to email@example.com, but the email appears to have been sent from firstname.lastname@example.org
See also 
- Email authentication
- Sender Policy Framework (SPF)
- Computer virus
- Computer worm
- Chain email
- Joe job
- Website spoofing