From Wikipedia:

E-mail spoofing is a term used to describe fraudulent email activity in which the sender address and other parts of the email header are altered to appear as though the email originated from a different source. E-mail spoofing is a technique commonly used for spam e-mail and phishing to hide the origin of an e-mail message. By changing certain properties of the e-mail, such as the From, Return-Path and Reply-To fields (which can be found in the message header), ill-intentioned users can make the e-mail appear to be from someone other than the actual sender. It is often associated with website spoofing which mimics an actual, well-known website but are run by another party either with fraudulent intentions or as a means of criticism of the organization’s activities. The result is that, although the e-mail appears to come from the email indicated in the “From” field (found in the email headers) it actually comes from another e-mail address, probably the same one indicated in the “Reply To” field; if the initial e-mail is replied to, the delivery will be sent to the “Reply To” e-mail, that is, to the spammer’s email.

Quite a mouthful there… To simplify, email spoofing is the fancy name for bogus email messages that look like they came from you.

Interested in fixing the problem?

Why Bloggers (and everyone else) should care about Email Spoofing

The obvious reason to care about spoofing is that someone is using your good name to shuttle spam messages into unsuspecting inboxes. Not only can this have a negative impact your reputation, but it can also lead to having legitimate emails from your domain banned by ISPs large and small.

Imagine what might happen if your 30K subscriber newsletter suddenly died.

If that isn’t bad enough, spoofing is often used as a way of phishing for login information. The spoofer sends an email pretending to be you (or your server admin) and asks for passwords or sends links that lead to other nefarious places on the net.

This is not where you want to be.

How to Deal with Spoofing

1. Lock down your mail server so it won’t relay spam

Attached to the Wikipedia entry is a link to an article on CERT about email spoofing. This article provides a few good tips about securing your mail server.

To summarize, the main idea is to lock your outbound mail server (SMTP) so that it does not relay messages willy-nilly. This will stop spammers from sending email directly from your domain.

Most mail servers in hosted environments already lock down open relay, so this is generally not a problem. However, you might want to check just to be sure. I tested a few tools out there and found the open relay tester at SpamHelp.org to be the fastest and easiest for non-technical users.

2. Add a SPF record to your domain

Even if your mail server is locked down, it is still possible for a spammer to execute an email spoof. They just send the message through another mail server. As the CERT article points out, SMTP lacks authentication but there is a way around this limitation: Sender Policy Framework (SPF).

In simple terms, SPF is a record of valid IP addresses that can send email on behalf of a particular domain. You can think about it as a power of attorney for email.

If configured to check for SPF, a receiving mail server will look up the SPF record for your domain and check that against the origin address for the spam message. Assuming the spammer is sending from a server other than your own, the IP address will not match the list of valid address for your domain and the spam message will get zapped.

Here are two links to help you get started with SPF:

• See if you have an SPF record: Scott Kitterman’s SPF Record Testing Tools.
• Get help creating the SPF record: OpenSPF’s SPF Record Setup Wizard.

[Note: When you start looking into SPF, you will probably see references to Sender ID as well. Sender ID is yet another authentication method for SMTP. It goes a step further than SPF, but it is also a proprietary format from Microsoft. Generally, I have no problems with Sender ID, but the adoption rate is slow.]

3. Contact your Hosting Company or ISP

While I am a technical fellow by trade, I do not claim to be an security expert. The recommendations above are a reflection of my attempt to distill a whole lot of mumbo-jumbo about email spoofing into something that regular folks can use.

If you need more detailed advice, I recommend that you start by contacting your hosting company or ISP. They should have dedicated staff for addressing email and security issues.

A Few More Things to Think About

Whenever you make changes to the configuration of your site or DNS records, Bad Things May Happen. The consequences of mail server configurations can be somewhat surprising too.

1. Implementation of SPF may end up blocking delivery of certain automated emails from your website. Why? If your mail server is on IP address X and your site is on IP address Y, scripts that send mail from Y might get blocked unless you add SPF records for both addresses. Make sure to map all the places where systems originate email.

2. Locking down SMTP relay, while a good an important thing can also end up breaking processes that rely on the relay. If you have a program that sends out email and uses your mail server as a relay, it is possible that shutting down the relay will cause that process to fail. This generally happens when the process in question is on another server but that is not a given. Make sure to test along the way and be prepared to roll back in event of problems.

Best of luck!

Turing’d:

We have this long list of tasks and occupations that we humans believe only humans can do. Used to be things like using tools, language, painting, playing chess. Now, one by one they get Turing’d. A computer beats them. Does it better.

So far we’ve can check off arithmetic, spelling, flying planes, playing chess, wiring chips, scheduling  tasks, welding, etc. All have been Turing’d.

[Via: The Technium]

At the end, Kevin wonders to the audience what else has been Turing’d (i.e. given over to computers because they are better than we are). I’d like to add Marketing to the list of fields and disciplines that have been Turing’d.

Most of us in the online marketing sphere are well past the idea of marketing on instinct. The medium lends itself quite handily to automation and marketing to algorithms.

The direct marketing world is slowly giving itself over to the same idea. Not that they haven’t been using computers and models for years. In fact, direct marketers are some of the most disciplined adherents to deep testing methods that tweak and adjust the smallest minutiae.

Still, this isn’t quite the same thing as giving it over to the computer entirely. To build models that run without human intervention and sort the massive data sets into personalized (and quantified) offers that are proven to be more effective.

It’s coming, folks. Actually, the best companies are already doing it.

Why?

Here’s something for you to think about…

In 10 Years, Marketing Will Be Taught In Engineering School:

Technology is removing all friction from the marketplace. Marketing will really be about figuring out how to most quickly and effectively tap the feelings of the market for the benefit of the product. This will go from a process that currently takes months or years, to one that happens in hours and days. All messaging and product feature sets will be rapidly optimized using the next generation of marketing techniques and technologies.

[Via: Why does everything suck?]

I have no doubt that Hank Williams is right.

Though heavy on the tech side of things, I’ve floated around between IT and Marketing for most of my career. However, it’s been awhile since so many books about marketing to algorithms have hit the shelves. Search is obviously the big reason and that makes me happy. I’m happy because search actually works and is quantifiable as opposed to the personalization craze circa 1998-2001.

The change is here and it is real.

That said, I thought his additional commentary at the end was particularly insightful (see below)…

Billy Martin’s Technique for Managing his Manager:

Someone suggested that the ability to quit your job is a luxury. I don’t like to use that word, because it suggests that the job itself is a luxury. It is possible that the pay cheque is a luxury, but for people who are engaged in their careers, the job is a necessity because their self-actualization depends on doing a good job. When you put it that way, the question becomes whether people have the luxury of remaining in a job where they don’t feel good about themselves and what they do.

[Via: raganwald]

In corporations Open source is thriving, and not because its the strategy:

In large corporations if you need to buy a tool for development, especially one no one has used before good luck in completing the order. The developer wanting the tool will have to justify it over and over and the odds of getting it aren‘t dependent on the need but whether the department (and hence what time of the year it is) has any money. Big purchases tend to be much easier because they have to be approved further up in the organisation. Little purchases just drag on and on. I don‘t know why it is the finance mechanism in companies causes so much grief, but the truth is they are not designed for quick purchases for strategic reasons. Any CFO that tells you otherwise is lying or has no idea. The real reason for finance control is to stop money leaking out and the company loosing money and not knowing why. The fact that redeveloping the library will take you 6 months is unfortunately lost on them as your an expected cost.

[Via: JRoller]

Paul goes on to expand this discussion to show how Open Source fits into the financing process which is a key reason for its continuing adoption by corporations.

Of course, this doesn’t explain why some IT shops are afraid of open source, but my gut tells me it’s about responsibility. IT shops unwilling to take responsibility for their own decisions and solutions tend to rely on vendors who are ready to serve as punching bags during a crisis.

Next thing you know, that fantastic developer is sitting in meeting after meeting about… network topology, help desk questions, project management issues, budgets, policies, and so on. I’m only guessing of course. It’s not that this happened to me or anything.

Oh wait, that’s exactly what happened to me.

Peter van Ooijen did a good job of stoking my rage about this issue.

Specialize ! In how, not in what:

But some problems at the end of last year made me change my mind. It had been a very rich experience to set up a fully functional site but to keep it running day after day is a different ballgame. The worlds of IT management and Software development differ on a very crucial point. In the last year(s) we have learned how to develop software following the scientific method. Isolate the problem to a single statement and try to falsify that by a repeatable experiment. In TDD words: mock up the environment, write a test which (initially) fails and automate running the test. Having to do “some” IT management made me realize how incredibly important and satisfying it is to work in such a way.

[Via: CodeBetter.Com]

You now what I’m talking about… It usually begins with an innocent discussion about the need for a new tool or the inadequacies of an existing system. One thing leads to another and lo! You’ve got a frothing-at-the-mouth business user railing about the lack of INNOVATION.

It might make you mad, but don’t fall for this is a playground tactic. Instead, take Scott Berkun’s advice and turn the argument on it’s head.

Stop saying innovation – here’s why:

Stop using the word innovation in 2008. Just stop. Right now. Commit to never saying the word again. Einstein, Ford, Leonardo da Vinci, Picasso, and Edison rarely said the word and neither should you. Every crowd I’ve said this to laughed and agreed. The I-word is killing us.”

(Via scottberkun.com.)

Bonus Question: How often do you just say NO to a new project?