This page considers email forgery.
It covers -
supplements other pages on this site, in particular the
more detailed discussion of spam, identity pollution,
messaging and computer forensics.
the forgery most likely to be encountered by people in
advanced economies on day by day basis is forgery of email
Some people have first encountered identity theft through
appropriation of their email
address or instant messaging service name, with a spammer
for example using a name that appears on the web (on a
personal or corporate site or in a web newsgroup archive)
as a false identity in messages to people across the globe.
That theft is of concern because most of the online population
has yet to recognise that email addresses are readily
forged and thus assume
that the owner of a stolen address has either authorised
the message or has failed to maintain effective anti-virus
protection and thereby allowed a spammer to propagate
messages from a 'zombie' machine.
Appropriation of an address or online name is also of
concern because it may result in blockage of legitimate
communications from the owner of that name, in some instances
forcing the unfortunate owner to acquire a new name. Some
observers have criticised vigilante online spam filters
for simply blocking names without proper investigation.
Name appropriation is not restricted to email addresses.
Contacts in China have lamented that their online names
in messaging services such as QQ and their avatars in
gaming or other social
networking spaces have been stolen, typically through
surveillance while using a cybercafe.
That theft poisons their online identity - the owner typically
abandons the name/avatar - and can imperil online relationships.
One of the more obscure forms of online identity theft
is an update of traditional political, personal or corporate
smears, which saw an opponent disseminate a letter or
statement supposedly authored by an entity to be discredited.
Such communications in paper formats included fictitious
acknowledgements of sexual or financial impropriety (eg
US presidential candidates 'confessing' to children out
of wedlock or across the colour barrier), endorsement
of unpopular causes such as the Communist Party or fake
attacks on popular causes. They have been characterised
as 'identity pollution' or as 'joe jobs'.
In the online environment 'joe jobs' as part of the digital
intifada or US 'culture wars' have included email messages
that purport to come from figures such as Noam Chomsky,
Hillary Clinton and Arial Sharon or from entities such
as the Israeli government, Procter & Gamble, the ACLU
or World Bank. In 2005 a fake media release outing
Scottish Executive minister Malcolm Chisholm (supposedly
announcing that he wanted to end "speculation"
about his sexuality and that he was "gay and in love")
was emailed to the media.
The intention of such forgeries is generally to gain media
attention (eg encourage journalists to report a "widely
circulated rumour"), erode a reputation,
reinforce negative perceptions of the subject and provoke
email responses (eg counter messages that flood the real
inbox or result in blacklisting of messages from the owner
of the name).
Responses to email forgery have taken several forms, depending
on the expertise of stakeholders and the type of forgery.
Those responses include -
search for technological solutions
noted above, it is clear that many recipients of email
accept the genuineness of illicit messages, whether because
they lack a frame of reference for determining authenticity
or because the content of a message caters to their preconceptions.
Uncritical acceptance of fake texts (and attachments)
and message identifiers is likely to decline slowly in
coming years but many people will presumably trust the
message - or blame the supposed sender - unless there
is something clearly very wrong with the email.
Other recipients are more sceptical, whether by nature
or through awareness of some of the more egregious abuses.
They will tend to seek confirmation of statements in the
body of email and attachments, in some instances actively
drawing attention to particular joe jobs and other frauds.
Others will simply commiserate with those whose email
address has been hijacked and whose good name is being
Governments have tended not to specifically prohibit email
forgery, usually considered to be adequately addressed
through the statute and common law highlighted in later
pages of this note.
The main exception has been specific provisions in some
spam and online censorship enactments, for example criminalisation
of email address forgery in the US under the CAN SPAM
Act and restrictions under the Australian Spam
Act 2003. In discussing
the US spam regulation regime we have noted cases such
as the 2004 conviction in Virginia of Jeremy Jaynes for
sending spam with forged headers via servers located in
For the technically inclined there is a valuable introduction
regarding address forgery.
The messaging profile elsewhere
on this site features pointers to works on the mechanics
of email and webmail.