Have you ever opened your email to discover a message that appears to have come from you, but you didn't write it? Have you received replies to messages that you never sent? If so, then you, like millions of people worldwide, have been spoofed!

Email spoofing is most commonly used by companies who try to gain your trust by tricking you into opening their junk mail. They do this by forging the name in the FROM: and REPLY TO: fields of their email message, inserting names of people you are likely to trust, including your own name and address. How do they get your information? They gather the information needed to spoof you through web spiders that collect email addresses from company web sites, and through forms and giveaways that folks sign up for. Even if you do not post or sign up, you can still be spoofed since companies often flood entire domains with messages, hoping to hit on valid addresses.

An even more dangerous and increasingly common way to get spoofed is by a virus or malicious worm. The recent outbreak of the MyDoom virus is a good example of a virus that is very good at spoofing email addresses. Many of the new viruses and worms have their own SMTP (Simple Mail Transfer Protocol) engine that can send mail from your PC using names in your Windows Address book, commonly used by Outlook and Outlook Express. If your name appears in another user's Windows Address book and their PC is infected by a virus, you could receive any number of messages from that PC, as well as replies from anti-virus gateways, users, and administrators who believe that your account is sending viruses to their systems. A single infected PC can send out hundreds of thousands of messages.

What can you do to prevent email spoofing? Sadly, there is very little that an individual can do to prevent email spoofing. Following unsubscribe links and complaining to spammers can open the door to more spam, since they now know your address is real. Anti-virus gateways respond to the FROM and REPLY TO fields, regardless of the message source, so this type of spoofing can not be prevented either. If you receive a reply to a message you did not send, simply delete it. Make sure your anti-virus software is up to date and running when you check your mail. Since many trojans and viruses exploit Windows vulnerabilities, it is also a good idea to use Windows Update to apply any needed security patches.

Another form of spoofing is Web spoofing. While email spoofing should not be taken lightly, web spoofing is probably the most dangerous form of spoofing. Web spoofing is when a company manipulates a web site URL to LOOK LIKE a trusted domain when, in fact, they are falsely impersonating the site you trust. This past January, Citibank customers were spoofed into providing online banking ID's and passwords as well as credit card and account information to a company that spoofed their web banking page. These users received an email asking them to log into their accounts to verify information. When they clicked on the link they were taken to a page that looked exactly like their Citibank page. Due to a known an unpatched Internet Explorer vulnerability the URL displayed in the address bar was also forged so they had no idea they were not, in fact, on the Citibank site. Other commonly spoofed sites include eBay, Paypal, and Amazon.com.

Microsoft has been aware of this vulnerability since early December 2003 and has yet to offer a fix for the problem. Individuals can protect themselves by using Internet Explorer only when required to do so, selecting alternate web browsers such as Netscape or Opera, which will show the actual URL being visited, as their default browser. You could also cut and paste the URL you are trying to go to into your web browser or just visit the site directly, ignoring the link in your email.

So, the next time you get a message from yourself or get flooded with replies for mail you didn't write, relax. If you've kept your PC updated and have your anti-virus software updated and running, then your PC is probably not infected. You've only been spoofed!