Tech Talk #194–December 31, 2022
Have you ever received an email that looked like it came from you, but you didn’t send it? Self-spam is happening a lot now, and it’s usually tied to a blackmail or shaming scheme. Forging or faking an email address is called spoofing. And it’s easy.
Most email systems don’t have security checks to ensure the person in the email’s “From” line is who they say they are—with billions of email addresses and thousands of email servers worldwide, verifying that “From” address is impossible. So all an email scammer/blackmailer needs to spoof is your email address, which they can buy from any of the many data breaches that make the news. Then they paste your email address onto their spam or blackmail email, and it goes straight to you. And from you, too.
But why? For two reasons. First, if the email seems to come from you, it will get through any spam filters you or your email provider may be running. Who is the person least likely to send you spam, but you?
The second reason comes back to that blackmail or shaming scheme. They send an email TO you that’s also FROM you and then claim it as proof they’ve compromised your account and possibly your entire computer. They also may claim to have evidence of you doing something wrong on your computer that they will send to everyone you know and even the police. Of course, they always want money to make the problem go away.
The good news is that they only have your email address, nothing else. And it’s not just your email address; they probably bought thousands or hundreds of thousands of email addresses to scam/blackmail.
We have tools to combat this self-spam problem. The first tool is the Sender Policy Framework (SPF.) SPF works with the Domain Name System (DNS) on the receiving email server to match the sender’s SPF record to its DNS record. But this doesn’t solve the problem because maintaining SPF records for billions of email addresses and thousands of email servers is difficult to do in real-time.
The next weapon against self-spam was the Domain-based Message Authentication, Reporting, and Conformance (DMARC) system. DMARC uses SPF and adds checks for alignment between the sending email server and the address in the “From” field. Unfortunately, even though Microsoft, Google, and others helped write DMARC, it isn’t widely implemented. While DMARC protects Outlook.com and Gmail.com email addresses, only a fraction of the Fortune 500 companies have implemented DMARC on their email servers, probably because they don’t want to risk not delivering a critical message.
There’s no way to prevent scammers/blackmailers from spoofing your email address. If your email system uses SPF and DMARC, the scammer’s/blackmailer’s emails will go straight to your junk or spam folder.
If a spoofed email does get through, ignore it completely. But first, mark it as spam or junk and empty your spam/junk folder. And don’t ever click on any attachments or links in the scammer’s/blackmailer’s email.
Here’s what your email address says about your computer skills:
Own domain (e.g., firstname.lastname@example.org): You’re skilled and capable.
@gmail.com: When the Internet stops working, you try rebooting the router before calling a family member for help.
@hotmail.com: You think that MySpace is hip.
@yahoo.com: You send email chain letters saying that Bill Gates will eat your hard drive unless you forward this message to everyone you know.
@aol.com: You phone friends to tell them about a neat website, then say into your phone,
“OK, go to … h … t … t … p … colon … slash … w … w … w … dot …”
Do you have a computer or technology question? Greg Cunningham has provided Tehachapi with on-site PC and network services since 2007. Email Greg at email@example.com.