spam-control system can take a lot of the fun and utility out of electronic communications, but at least you can trust e-mail that comes from people you know â€“ except when you canâ€™t. A favorite technique of spammers and other â€śbad guysâ€ť is to â€śspoofâ€ť their return email sender, making it look as if the mail came from someone else. In effect, this is a form of identity theft, as the sender pretends to be someone else in order to persuade the recipient to do something (from simply opening the message to sending money or revealing personal information). In this article, we look at how e-mail spoofing works and what can be done about it, examining such solutions as the Sender Policy Framework (SPF) and Microsoftâ€™s Sender ID, which is based on it. If you receive a snail mail letter, you look to the return address in the top left corner as an indicator of where it originated. However, the sender could write any name and address there; you have no assurance that the letter really is from that person and address. E-mail messages contain return addresses, too â€“ but they can likewise be deliberately misleading, or â€śspoofed.â€ť Senders do this for various reasons, including: * The e-mail is spam and the sender doesnâ€™t want to be subjected to anti-spam laws * The e-mail constitutes a violation of some other law (for example, it is threatening or harassing) * The e-mail contains a virus or Trojan and the sender believes you are more likely to open it if it appears to be from someone you know * The e-mail requests information that you might be willing to give to the person the sender is pretending to be (for example, a sender might pose as your companyâ€™s system administrator and ask for your network password), as part of a â€śsocial engineeringâ€ť attack * The sender is attempting to cause trouble for someone by pretending to be that person (for example, to make it look as though a political rival or personal email sender said something he/she didnâ€™t in an e-mail message) Note: â€śPhishingâ€ť â€“ the practice of attempting to obtain usersâ€™ credit card or online banking information, often incorporates e-mail spoofing. For example, a â€śphisherâ€ť may send e-mail that looks as if it comes from the bankâ€™s or credit cardâ€™s administrative department, asking the user to log onto a Web page (which purports to be the bankâ€™s or credit card companyâ€™s site but really is set up by the â€śphisherâ€ť) and enter passwords, account numbers, and other personal information. Whatever the motivation, the objective of spoofed email sender is to hide the real identity of the sender. This can be done because the Simple Mail Transfer Protocol (SMTP) does not require authentication (unlike some other, more secure protocols). A sender can use a fictitious return address or a valid address that belongs to someone else. Receiving mail from spoofed addresses ranges from annoying to dangerous (if youâ€™re taken in by a â€śphisherâ€ť). Having your own address spoofed can be even worse. If a spammer uses your address as the return address, you may suddenly find yourself inundated with angry complaints from recipients or even have your address added to â€śspammerâ€ť lists that results in your mail being banned from many servers. How Spoofing Works In its simplest (and most easily detected) form, e-mail spoofing involves simply setting the display name or â€śfromâ€ť field of outgoing messages to show a name or address other than the actual one from which the message is sent. Most POP e-mail clients allow you to change the text displayed in this field to whatever you want. For example, when you set up a mail account in Outlook Express, you are asked to enter a display name, which can be anything you want, as shown in Figure 1. If your e-mail does not have a Sender ID, Microsoft wants to junk your email sender. Sometime around November, Hotmail and MSN will flag as potential spam those messages that do not have the tag to verify the sender, Craig Spiezle, a director in the technology care and safety group at the software maker said Wednesday. The move is meant to spur adoption of Sender ID, he said.