Forged Email

Near the end of the 1999-2000 academic year, a vicious and hateful email message was sent to a large part of the Stanford community. In outrage, many demanded to confront the presumed author and have him expelled immediately. The student denied the charges and the University concurred: the message had been sent by another user who forged the return address and the name of the sender. From a technical point of view, the forgery committed in this situation was hardly forgery at all. As it is used today, Internet email is not an “authenticated” message system. This means that anyone in the world can write an email message with any return address that they choose, without any hacking, cheating or deception.

If you currently use Eudora, Netscape Mail, or Outlook, you have already configured your mail program to know your name and email address. To receive your new mail, you also need your Leland user ID and password (using the PCLeland or MacLeland login window). So how can someone forge mail from your email address if they need your password? It turns out that receiving mail requires your user ID and password, but sending mail requires neither. Email messages are sent using a protocol called SMTP. At Stanford, all messages are sent through a server named smtp.stanford.edu. Your email program gathers new incoming messages using a totally different system, usually called POP or IMAP. This system has nothing to do with the SMTP system and uses servers like pobox1.stanford.edu. A malicious user could enter any name and return address into their mail program. Although they couldn’t receive new incoming messages (which requires a user ID and password), they can send as many messages as they like, all of which appear to be from the fake name and return address.

As an email user, it is important to recognize that email is not a secure or authenticated system. If you receive a strange message from a friend or stranger, realize that the message might not have been sent from the person listed as the sender.