Back then you could send an email “from” any address without verification, and I’d bet they weren’t sophisticated enough to detect that. There were many open and/or hacked SMTP gateways. I went to a federal military school and showed people how to do this on our own .mil servers. This would be deadly serious today, but email was 95% jokes and flame wars anyway, so it just made things more hilarious. Even Stanford CS’s SMTP in the 2010s allowed unauthenticated “from” addresses, and someone was using it to impersonate the Google founder emails for promoting and funding their startup.