"Spoofed source email" is any email message where the  sender misrepresents themselves by changing the sender address to one that isn't their own.

Spammers routinely use mail spoofing to increase their catch rates. In this case the result is more of an inconvenience but there are other more serious possibilities.

I have successfully, in several assessment projects,  used email spoofing to social engineer people into performing actions.Consider this email that I sent to the staff of a client of ours:

From: HR To: SomeUser Subject: New internal wiki site!

Dear colleagues,

We are pleased to announce the release of our  new internal corporate wiki site. This site will give you the opportunity to share your knowledge and use the knowledge of your co-workers more effectively. Find everything that you need and post things others might find useful.

You can access this site here . It can be  accessed using your internal username and password. (No need to remember another new password!)

I hope you enjoy this new service.

HR

There are a variety of ways that you could use this technique but the interesting way that I used it was by putting up a properly branded site with a login section that they could use to try and log int. When the staff tried to log in the page would simply spit out an error and redirect to a corporate website. The trick here is that I was simply capturing peoples credentials as they tried to log in.

Using this technique I successfully captured 7 sets of credentials for people who had remote access privileges. The service desk quickly found out about the scam email and sent out a message warning users not to visit the site but by this time the damage was done and I had already entered the system and found what I wanted.

There are a myriad of scam emails that can be sent that will have similarly successful results. People will almost always trust an email that appears to originate from an internal source.

The quick technical solution to this spoofed source problem is to ensure that you have a rule on all of your externally facing email servers that specifically disallows any incoming message that has an internal address in the from field. There are almost no good instances where internal addresses should be entering your network from the internet.