E-mail is considered "spoofed" when the e-mail address in the "From" field is not that of the sender. Believing what you read in spoofed e-mail can cause huge embarrassment, so if you receive an e-mail from George W. Bush, it might not be on the level. The bad news is that it's not very hard to spoof e-mail, but the good news is that it can usually be detected. To detect spoofed e-mail you need to understand how e-mail is sent on the Internet.

First, your e-mail program (e.g., Outlook, Eudora, Hotmail) sends mail to an SMTP (Simple Mail Transport Protocol) server, a computer that understands how to relay your e-mail from SMTP server to SMTP server across the Internet, until it arrives at its destination--the recipient's mailbox. The mailbox stores this e-mail until it's fetched by an e-mail program, so its recipient can read it.

Like a well-paid courier, SMTP just passes along what it was given. You can tell Outlook your e-mail address, but neither it nor the SMTP server provided by your Internet service provider have any way to verify that it's true.

Every e-mail contains a hidden component known as a "header" that details its transmission history. By viewing the header and doing a little detective work you can usually spot the telltale signs of spoofed e-mail. Investigating suspicious e-mail is a relatively technical process. To do so, check the headers: In Outlook, select View/Options; In Netscape, select View/Headers; In Apple Mail, select View, Message.

The first thing to check is the From field, which will look like one of these:

From: Mickey Mouse (mickey@mouse.net)

From: mickey@mouse.net (Mickey Mouse)

From: Mickey Mouse

Look for a discontinuity between the friendly name and the e-mail name. If the friendly name is "Mickey Mouse" but the e-mail address is evildoer@wicked.org, or if the e-mail name is missing entirely, the e-mail may be spoofed. But a sophisticated spoofer won't make this simple mistake.

Next, look at the Received fields. Each time the mail gets relayed through an SMTP server, a new Received field is added, and you read them bottom-to-top. This is supposed to detail the original sending of the mail from the sender's mail program to their ISP's (or company's) SMTP server, although it can be forged. If the mail purports to be from mickeymouse.net but you see names like "wicked.org" you have reason to be suspicious. It also pays to look up the sender's IP address, the four numbers separated by dots in the Received line.

In the screenshot the IP address is 129.106.7.29 (which is a UT Houston address). With this information you can search online for the ISP, places to start are:

www.arin.net
www.samspade.org

Look for suspicious server names or clues to geographical locations (e.g., SFO for San Francisco). Again, you're looking for discontinuities. (Don't be surprised if the spoofer does some Internet magic to make the IP address useless to you, though.)

You can continue with this sort of detective work up through the different Received fields. If you are lucky you can track down the e-mail address and ISP of the true sender and at least get them kicked off their ISP. If, for example, the e-mail comes from the ISP provider Nastybrowndog.com, send e-mail with your complaint to abuse@nastybrowndog.com or postmaster@nastybrowndog.com.

Given today's e-mail infrastructure, there's not much that can be done to prevent spoofing. Best advice is in a situation where the authenticity of the sender must be established and it is someone you are already in communication with, you can agree to use digital signatures and/or encryption when exchanging e-mail. Digital signatures and encryption protect messages from tampering and positively identify the sender.