At my email at work, I had been getting a string of clearly bogus emails from people claiming to have found my old password on the dark web, but of course I had changed it years ago. They made idle threats about using my own computer camera to record me doing bad stuff, etc. These always show up as spam through the work email filter. Then more recently I have been getting emails using my exact email address rather than one slightly different, so the sender is now saying he has entered my system, etc. However, these emails are still coming in listed as spam and so far I see no effects that the person has the type of control or access he claims to have to the account. I have alerted the security folks at work and they so far don't seem to be too worried about it. But can someone actually spoof an actual, exact email address of someone? How is this possible? The person sending these is trying to claim the only way to do this is to get complete control and access to the email account, but why are those emails coming in listed as spam? When I send emails to myself they are not listed as spam. Thanks for any feedback.
It's easily done. There are even add-ons for Thunderbird for it. But in order for it to actually work, you need an email provider that will actually send messages with forged sender address. Most won't.
Address is just a header in email message. You can just write fake one. To send that email somebody must use email provider that does not verify that address in header is actually owned by sender. Most verify that, but someone can create their own email server to send messages. However there are mechanisms for receiving servers to verify whether domain (part of address) is not spoofed. These are called SPF and DKIM. https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC
I don't know about other email clients - but for Thunderbird it is advised to set Code: mail.showCondensedAddresses = false mailnews.headers.showSender = true in about:config as a protection against spoofing/phishing. There are also some add-ons that are helpful, like TORPEDO.
Just look in your sent items folder. You won't see the message there. This shows that they didn't send it from your account. They could even fake that, but usually they don't. They're too stupid and lazy, and anyways, people are easy enough to scare even without it.
Thanks for the feedback. Indeed, they do not show up in my sent messages. This is reassuring. I had no idea people could send messages from an exact fake email address. You learn something new every day.
For Gmail, I've read that spoofed messages do show up in your sent folder. Because it's not really a folder. Just search results.
I am a Gmail user who has played around a bit with sending messages from my Gmail address, but using a different email service. It's not so easy to get your messages to show up in sent items folder. But if is possible. Let's say like this: if it isn't in your sent items folder, then it wasn't sent from your account. And that will be the case most of the time. If it is in there, you need further research.
