If you have an email address, at some point, you’re bound to have an occurrence that will make you do a double-take: you’ll receive an email that has your email as the sender, only you didn’t send it. Naturally, alarm bells begin ringing (not a bad thing) because you’re worried your account has been compromised. But after forwarding it to your trusty IT team (please don’t click the link, I beg you), you’re reassured it didn’t actually come from you.
But if it wasn’t sent from my account, why does it have my email address?
Well, as it turns out, email is a VERY old system…so old that it predates the internet. Many of the first messages were sent between computers in local networks in buildings, but as the ARPANET (the precursor to the Internet) grew, messages were sent all throughout the network. Queen Elizabeth even sent one in 1976 (somehow, that detail didn’t make it into The Crown). But back then, the internet was small – so small that there was a physical directory, like a phonebook, for everyone on the internet. When the internet is this small, it’s not hard to track down someone doing something they shouldn’t, but it also means that you’re not thinking that hard about security.
What’s a Header?
When you send an email, a bunch of data gets sent to the email server. Some of that includes the header. Think of this as the envelope that sends your message. It includes the sender, the recipient, the subject of the email, when it was sent, and where the message originated from. The problem is that by default, none of this information is verified. You can put anything, and the email server will say, “OK, I trust you.” I recall in 6th grade having fun sending other kids in my school emails from president@whitehouse.gov telling them how much I loved watching cartoons (pretty sure I’m well past the statute of limitations on that one).
There have been leaps and bounds of adding additional info to the header and adding security measures to check (for instance, most email servers now require you to log in before sending mail, and won’t let you send mail as someone else unless you have permission), but the problem is that anyone can make an email server and start sending spam until someone like Google or Microsoft notices and blacklists it, which then tends to be picked up by all the other blacklists.
So, is that why there’s so much spam?
Yeah, pretty much. Email is a 50+ year old system that still is mostly set up to work the same as it did, with some additional layers added on top. So, if you get an email from yourself, it’s still a good idea to check it out, but it may be as simple as someone else writing your name on the outside of an envelope.