From: System Administrator Subject: Undeliverable: RE: your inquiry
The body lists a bunch of e-mail addresses from which this message apparently bounced. The supposed original message is in the attachment, the text of which is “Hi, this is Wendi, wanna see my pictures?” (greatly abbreviated, but that’s the gist).
I knew this was suspicious from the start since I haven’t sent out or responded to any messages titled “your inquiry.” A bit more digging shows that the address of the “System Administrator” is postmaster@CPS-SA.CL. In my experience, all the “legitimate” bounced messages have come back individually, and it doesn’t really bother me if this is just a new ploy to get people to open the spam (one more for the trash, that’s all). But I’d really like to know if someone can hijack my address and use it in the “From” field to send out these types of messages.
In any email client, you configure the From, Reply-to, and other fields as you see fit. It’s trivially easy to use someone else’s address, and the SMTP protocol does not include any authentication that the From field is valid or appropriate for the user. (Note that by “any email client”, I mean any client-side application used to interact with an SMTP server. This doesn’t include webmail systems like Hotmail since your configuration is probably set by the website admin.)
It it quite common for spammers to use some innocent bystander’s email address to avoid all the complaints resulting from the spam. In at least one case, a domain name owner won a court judgement against a spammer because the deluge of hate mail resulting from the forged address caused material damage to the domain name holder’s business. That case occurred in Austin several years ago, but I’ll be happy to dig up a cite if you need a precedent to go after these guys.