Spoofing Your E-mail

There is a final problem for sending desktop e-mail, and it is an ugly one indeed. To begin, anyone can send e-mail to your Simple Mail Transfer Protocol (SMTP) server, regardless of who the message is addressed to (i.e., the messages don’t have to be going to a local address on your server). They don’t need your e-mail account password, they don’t even need a valid e-mail account name. They just have to know about your server and be able to access it over the Internet. They can even “author” messages with a From: containing your e-mail address.

It is an unfortunate sign of our times that this behavior has become more frequent and used to nefarious means. Some spammers have caused legitimate e-mail accounts to be canceled (or sites blacklisted), all because they hijacked these accounts in this fashion. And unsuspecting e-mail users are sometimes blamed for other’s actions.

This is not a new problem. Indeed, when one of us was a graduate student, one of our fellow students played a prank. He hijacked our student e-mail account and sent an off-color message to another student, making it appear as if we had sent the message. The issue is that now almost anyone can do it, given the minimal effort to change the designated SMTP server information in any e-mail software program.

ISPs have reacted to this situation by blocking users who try to send a message to the ISP’s servers if the message’s recipients are outside the ISP’s network. This sounds like a good solution, until you consider the situation of the traveling user, who may use another provider to access the Internet and needs to make use of his or her account on the home ISP. This is just another thing to check when you sign up with a particular provider. If you do a good deal of traveling, make sure that your ISP has local access numbers in the cities you visit!