Spammer Forgery of the From Address
NOTE: The opinions expressed on this page are those of the author and not of SpamCop.
The most common pleas for help posted to the
SpamCop forum by new users include the following:
- "Help!! My domain (or my personal e-mail address) has been hijacked to send spam!"
- "I'm getting tons of bounce messages for messages that neither I nor anyone in my domain actually sent."
- "I'm getting spam that appears to be from my own address (or, an address in my domain)."
- "I get complaints that I sent spam, but I swear I did not do it and couldn't have done it anyway."
- "My domain is on Joe Bob's blocking list because he says I sent spam, but I didn't"
These kinds of queries are usually occasioned by the fact that a spammer has
forged a from-address belonging to the questioner (or the questioner's domain) into his outgoing
spam e-mail. This page represents an effort to provide an easily-referenced explanation of this problem.
In a nutshell
For the impatient, here are the major points of this page:
- If you are having one of the problems described above, then it is more than likely due to the fact that a spammer has "borrowed" your domain name (or just your own e-mail address) to use as the from-address (or, more properly, the Return-Path address) of the spam he sends.
- Spammers find it necessary to include realistic Return-Path addresses with their messages in order for these messages to be delivered; for obvious reasons, they do not want to use any of their own addresses, so they steal them from others (like you).
- The spammer can use your domain name or e-mail address without touching your domain, your machines, or your network -- he just needs to type the domain name or address into his bulk-mailing software. So, while you may be angry about this behavior, you need not (necessarily) worry about abuse or security problems within your domain if there are no other signs of trouble.
- There is not much you can do to prevent spammers from forging your domain or address into their messages. Fortunately, your turn in the barrel will last only for a short time, and the wave of unwanted bounces will taper off quickly and disappear completely after a few days.
- If you are getting bounces back to addresses in your domain that do not exist, then you very likely have "catch-all" service enabled with your domain's mail service; if you turn off the catch-all service, you will no longer receive such bounces (see also the SpamCop wiki page on catchall addresses).
- You have the option of reporting (via SpamCop) any or all misdirected bounces from mail services as a form of abusive "blow-back" mail.
Why forge?
The reason why spammers find it necessary to forge other people's domain names and e-mail addresses into their mailings is that they must usually provide a
realistic-looking return e-mail address in order to have their messages delivered. Here, "realistic-looking" means (1) the address has the proper format of an e-mail address (that is, "
a@b.c"), and (2) the domain part of the address (the
"b.c" part) can be resolved by
DNS, indicating that the domain is in operation on the public internet.
For example, if your mail program tries to deliver a message you wrote and identifies you (the sender) with the e-mail address
gorgon, most properly-configured mail hosts will balk because
gorgon is not a realistic e-mail address. If, on the other hand, you simply added any old valid (DNS-resolvable) domain name after this string (e.g.,
gorgon@not-my-domain.foo), then the message would probably pass muster and be delivered, even though this is not your e-mail address or your domain.
A few questions might occur to you at this point:
Why doesn't the spammer simply use his own e-mail address? For the same reason that bank robbers don't (intentionally) leave calling cards when they crack a vault. There's no point for a spammer to leave verifiable traces of his identity in the junk he sends.
Why can't the spammer just make up a bogus domain name instead of stealing a real one? Because some receiving mail hosts may be set to look up the domain name using
DNS, and may reject the mail if DNS tells them that the domain doesn't exist on the net. This is
not the same as checking whether the entire e-mail address itself is genuine, but it does provide at least some protection against delivery attempts by unskilled or inexperienced spammers.
Why doesn't the receiving host make a closer check on the bona-fides of the return address? You might think that we could reject mail if its return address could not somehow be matched to the service (i.e., the
mail host) that sent it. However, this is not the case. Often, perfectly honest e-mail is sent from machines or domains other than its return address would suggest. To cite just one example, you might be using an outside webmail service to send your mail, so that your return address (which you type into the webmail page) is unrelated to the machine that eventually sends your message. You would not want your (non-spam) message to be rejected by the recipient for this reason.
Has the spammer cracked my network or my computers?
Most likely not; he simply
doesn't have to do anything of this sort in order to "borrow" your domain name or e-mail address (which is, after all, just a name -- a few letters, numbers, and punctuation marks).
For example, suppose that you get invited to the kind of party where everyone is a stranger and they all wear nametags. You could simply write someone else's name on your nametag and pose as that other person; you would not have to steal that other person's wallet, passport, or birth certificate in order to practice this small deception. Similarly, the spammer is simply "writing your name" into his message, knowing that (1) likely few people can or will check up on his use of your domain name or address, and (2) knowledgeable people will not trust the apparent return address of a suspicious message in the first place.
How can I tell if he did crack them?
On the other hand, we should not entirely close out the possibility that machines in your domain were used to send the spam, and this opens the door to quite a bit of complication. Normally, the only evidence of spam forged in your name that you will ever see will be misdirected bounces from various mail hosts; if this is
all you see, then you may have nothing further to worry about. If, however, you get some plausible evidence (like a
bona-fide SpamCop report, see
this wiki page) that the messages might in fact be coming from your domain, you will need to do some further work:
- You may need to get hold of one of the messages sent in your name and inspect the header in order to confirm or reject this possibility (but getting these messages in an intact form from an angry recipient could be a tricky challenge).
- You can examine some of the bounce messages you get and see whether they include the original headers of the offending mail somewhere down in the body (not all bounce messages have this information). If you are able to read e-mail headers (or else can find someone else who can), you may then be able to quickly determine whether in fact the message came from your corner of the network. NOTE: many people attempt to do this sort of tracing on the headers of bounce message itself, but this will yield little or no helpful information, because of course these headers describe a completely different message transaction.
- If you suspect a problem, you could use a packet sniffer or similar tool to monitor outgoing activity among the machines in your domain to see whether any of them are sending mail when they shouldn't be (but this would be a hit-or-miss affair, since bots tend to operate sporadically and unpredictably).
- You might check your mail servers' outgoing logs for unusual levels of mailing, but since most spammers tend to steer clear of conventional outgoing mail hosts (they use their own software instead, see the Wiki page on direct-to-MX mailing), this may not yield much information.
If you should decide to post to the
SpamCop forum about forgery of your address or domain, you will want to post as many particulars as you can about the problem, so that the experts have the info they need in order to see what is going on. This is because e-mail transmission can be quite complicated and full of significant little details, and it is necessary to analyze those details before rendering a judgment on the problem.
At the very least, you will need to post your domain name or e-mail address (in a disguised form if necessary), possibly also info about your IP networking setup. If you have live examples of the spam sent in your name (or headers of same), you may be asked to submit them to the
SpamCop parser and obtain a
tracking URL. If you can't (or won't) post such information, you will probably not get a useful evaluation of the problem (and you may get some snippy comments).
Consequences of forgery
By using a bogus reply address, the spammer cuts himself off from any replies or bounces in connection with the messages he sends. But then, he doesn't care: for him, e-mail is strictly a
one-way communication path. The typical spammer sends so many mails that he can't be bothered to track individual deliveries or respond to replies (which, in most cases, will just be complaints or abuse). For those unwise enough to want to take him up on his offers, he provides a web URL or some other more-easily-controlled means of contact besides return e-mail.
For the domain operator (or individual user) whose address is forged, the forgery usually results in the following:
- He may receive large numbers of misdirected "blowback" bounces from mail services that have rejected the original spam message due (1) to effective spam filtering, or (2) to the fact that the recipient's address is undeliverable (see below at "What about all these crazy bounces?").
- He may get angry personal replies from recipients who have simply hit the "reply" button without considering that they are being fooled by the spammer into harassing an innocent party.
- In rare cases, he may find that his own outgoing messages are being blocked by incompetent mail administrators in small, isolated domains who construct pointless spam filters based on senders' e-mail addresses (rather than on mail host IP addresses, content filtering algorithms, or SPF/DKIM violations, as is customarily done).
What can be done about forgery?
Unfortunately, there isn't all that much you can do to stop or prevent your domain name from being forged into spam (unless, perhaps, you happen to be on the scene when the spammer is actually doing this, in which case you can call the cops). Fortunately, on the other hand, these episodes usually last only a short time (that is, only for the course of a single spam run) unless you are somehow being singled out for special mistreatment.
As for damage to your reputation, it may be of some comfort to know that most mail administrators are clued in to this problem, as are most sophisticated mail users, and they will not hold you responsible for random spam sent in your name.
If you receive personal replies, it is up to you as to whether you want to answer them; you may be dealing with ignorant persons who will likely not believe your protestations of innocence, so the better part of wisdom may simply be to remain silent.
If you do reply, you might like to point the correspondent to this wiki entry, or to
http://www.rickconner.net/spamweb/notmyaddress.html∞, which provides a similar discussion.
If you know for a fact that a particular mail service is blocking your mails as a result of from-address forgery, you are free to try to contact them (for example, at the
postmaster@ address for the domain in question, or else by telephone) to explain the situation. Again, you may refer them to this wiki page or to the external link given above. Misguided or incompetent mail administrators who use inappropriate criteria to block your mail are probably blocking mail from many other innocent parties as well.
What about all of these crazy bounces?
If a domain you run is forged by a spammer, you may find that you get a lot of bounces that refer to addresses that don't exist in your domain -- for example, the bounces are addressed to the sender
krazykat@your-domain.foo where there is no such user as
krazykat in your domain. This is evidence that your domain has a
catch-all e-mail address enabled, so that all mail addressed to non-existent addresses in your domain is delivered to the catch-all address.
Catch-alls are often set up by default on many "turnkey" or "virtual" domains, and are intended to be helpful to the domain operator (i.e., so he doesn't miss potentially important mail simply because it was misaddressed). However, this practice isn't very defensible anymore due to tricks like spammers' from-address forging. Unless you have a very good reason to keep the catch-all turned on, then, you should
turn it off (or have your mail administrator turn it off for you). This will keep you from getting bounces back to non-existent addresses.
As for the bounces themselves: bounces resulting from a
single instance of from-address forgery will be very heavy at first (dozens or hundreds per day), but will rapidly decline in volume until they reach zero when the last mail host sends you the last message indicating that it has given up trying to deliver the spam message; this process generally takes less than two weeks. If a spammer really has it in for you, and uses your domain repeatedly in his mailings, the bounces may continue or recur.
Reporting inappropriate bounces as spam
If you do not care for all of the misdirected bounces you get, you can actually report them as a form of spam via
SpamCop. This is because such bounces are considered to be a form of
"blowback" mail, inappropriate automatic replies to e-mail messages.
It is perfectly standard procedure to get bounces to undeliverable messages
that you yourself actually sent; this is the way that
SMTP e-mail works. On the other hand, you are technically almost
never supposed to see bounces to messages (spam, for example) that you did not initiate. Such bounces, when they occur, are known as
delayed bounces (because they were "delayed" until after the recipient's mail host already accepted the mail, but found it to be unwanted or undeliverable and could no longer throw it back to the sending host).
Let's take a closer look:
- If a receiving mail host can determine right away that it cannot (or doesn't want to) deliver a message offered by an external source, it can immediately reject that message back onto the external source (which is still online in the middle of the SMTP session). If this were a message that you yourself sent, then the "external source" would be a mail host that belongs to your mail service, and it would know how to contact you with a (legitimate and immediate) non-delivery notice.
- On the other hand, if the receiving mail host decides to accept the message, and then later finds it to be undeliverable, it no longer has any access to the sending host (which has long since signed off) and so cannot reject it; the only information it has by which to report the non-delivery is the from-address embedded in the message itself, which as we see is always forged in the case of spam. Thus, any delayed bounces sent out to spam messages will invariably go to uninvolved parties.
Many mail services continue to employ delayed bounces even though these are discouraged in the
SMTP standard. If circumstances have forced you to read this page, then you probably don't need to be told how pointless and abusive blow-back mail can be. By reporting such bounces, you may be able to get across to these services that they need to change the behavior of their mail systems.
Refer to
this thread∞ from the SpamCop forum for more information about when and how to report delayed bounces as spam. Because of the large number of such bounces you may get, you might wish to avail yourself of a "helper" script or application like those mentioned in the
SpamCop FAQ∞; these will enable you to efficiently bundle up the bounces and mail them to
SpamCop, whence you can individually review and report them.
CategoryMiscellaneous
CategorySpamTypes
CategorySpamCopForum
CategorySpamCopBlockingList
There are no comments on this page. [Add comment]