First a definition. Spoofing is the forging of the headers of an email message. Typically this means that at least the from address is forged. As a result, if the To address is not valid and the message bounces, the owner of the email address gets the bounce message, not the PC that sent the message.
Why can spoofing work? Simple. Repeat this mantra until it sinks in. "There is no security on sending email." The analogy to snail mail is fairly close. Anyone can send snail mail as you. But the PO is fairly good about making sure that only you receive snail mail sent to you. By design, originally security was only on the receiving side of email, just like with the Post Office.
That has changed to some extent. Responsible ISP's have for some time required a log in to send email. Lately, responsible ISP's have gotten sticky about which other email servers they receive email from. This was as much an anti-spam change as anything else. (Spam is unsolicited, commercial, email. Spoofing is usually done by spammers, but it is not a requirement of spam. Phising is email that attempts an identity theft. Pharming is a relatively new technique of identity theft involving web site take over.)
I will spare you all the technical details. The scenario is simple. Malware gets installed on an unprotected PC. That PC has your email address on it. The malware finds your address and uses it to send email. The sending can be done in a variety of ways depending on how badly the spoofer wants to hide things. The key point is that the sending does not require anything more about you than your email address.
Passwords don't matter very much to a spoofer. They aren't needed at all for spoofing to occur. So don't worry about that yours has been compromised.
Until various protective schemes under consideration (and disagreement) can be put into place, there will be no systematic solution to this problem because security on sending was not built in from the beginning.
Points to consider:
1. Your chances of being spoofed depend on how public you are with your email address. If you are active on any kind of mailing list, it will be avialable widely enough that chances are it will be available on an infected PC.
gmail addresses are no more susceptable a priori than any other email address. However, I suspect that all the free services, get used a lot more by folks who want to be anonymous for purposes of mailing lists, etc. Therefore, it would not surprise me if they were more likely to be spoofed than that of some random ISP.
2. Always have multiple email addresses and carefully segregate them between business and family and home and pleasure, etc.
3. You can get digital signatures and use those to sign email that matters. They are available at low cost or free, depending. Digital signatures means that the recipient of a message can make sure that it comes from you. They won't prevent spoofing.
Because of the nature of the net spamming and spoofing are facts of life that are not likely to go away anytime soon.
The only thing you can really do is filter out the undeliverable bounce messages into a separate folder where you can check up on them from time to time. You don't really want to zap them automatically. There may arise an occasion when you send an important message yourself, and it bounces. The only way to track down what happened is to have all the bounce messages.
Regards,
Al Christoph
Senior Consultant and Proprietor
Three Bears Software, LLC
just right software @ just right prices @ 3bears.biz