Email Spam - How Is This Happening

Over the last few weeks, I’ve been getting spam from a company. What seems mystifying to me is that the spam is coming from my email address.

I’ve complained to the ISP about this and forwarded the messages to their “Abuse” department, but I’ve heard nothing back from them yet.

How is this possible?

Also, if they have access to my email address to send spam, can they read my email too?

Thanks in advance.

The From line on an email is like the Return Address on a snail mail letter. Much as there’s nothing stopping me from mailing a letter with your return address on it*, there’s nothing stopping spammers from sending emails with your address in the from line. There really isn’t anything your ISP can do. If you think you ran afoul of a phishing email or that your password has been compromised, you should certainly change it, but it’s unlikely that they can read your actual email.

*I’ve always wondered what would happen if I mailed a letter with some nonsense address on the front, the true destination as the return address and no postage. I mean besides being arrested for defrauding the mail or whatever.

Most likely they’re just spoofing your address in the email they’re sending to you. It’s one method spammers use to bypass people’s spam filters. I would think it would be highly unlikely they have access to your actual email account. If they did and were using it to send spam, you’d be getting a lot of bounced spam messages back as spammers usually have a lot of “bad” addresses in the lists they use so a lot of the email gets bounced back to whatever address they are sending from.

Thanks. That makes me feel a little better.

Inner Stickler, I understand what you’re saying, but shouldn’t the actual “From” mail address used to send the spam appear somewhere in the header of the message? How can there be no real “From” (or origination) on the message?

The originating servers will appear in the headers, but there is no such thing as a “real From address”. As IS said, it’s exactly like the return address on an envelope; anyone can put any address they like.

I had that happen to me. They spammed my contact list. Yahoo auto adds any address to my contacts so i kept getting error emails when they tried to spam expired address from six month old Craigslist ads. I changed my password and it stopped.

I belive Cecil wrote about this. If I remember correctly he said you’d probably get away with it. However, He also felt that it was pretty pathetic to bother.

The mailman knocks on your door, gets upset at you, and tells you to tell whoever did that to not do it again.

I know this because my college professor mailed me my final paper after school was over. She didn’t want to pay that much postage (it was a longish paper), so she put my name and address in both the TO: and the FROM: areas, exactly as she said she’d do.

Mailman was annoyed but didn’t make a big deal out of it.

You can do this spoof very easily in your own email client by setting up a bogus From address. Somebody got your email address from somewhere and decided it would be handy to send spam to you and use you as the sender. Most people’s email clients do not identify mail from themselves as a blocked sender.

The SMTP protocol was designed by and for honest people in more innocent times. Your email client contacts your SMTP server, and the email message gives a “From” address. The SMTP server has no other way to know who you are except what you tell it (unless your server requires authentication, which many ISPs now require for this reason). The header will accumulate the servers touched in the hops but not the “true” email address sending the mail.

Okay, I’m starting to understand now.

Thanks to everyone for your patient explanations.

It also means your ISP doesn’t have a very aggressive spam policy - most better spam fighting setups validate from addresses and reject those that are from domains that they control - so if your isp is “” they would reject, and,, unless it was actually sent by the AOL server.

It looks as if the spams were sent from my ISP as there is usually another recipient or two in the CC field that are also in my ISP’s domain.

I’ve sent the 5 messages (so far) to the Abuse department of my ISP. Kinda curious what they’ll say or do.

This can happen anyway. Spams often have some bogus “From” address, and/or a bogus “Reply To” address. Thus, they can blast a zillion spams, and a bunch of those will bounce to the alleged (and probably innocent) “From” or “Reply” address. A friend of mine had this happen to him – he got so much bounced spam wrongly bounced to him that his inbox got full to the max and stayed full so he couldn’t get his real mail. He had to abandon that address and get a new one.

May all spammers rot in hell. But this was also a seriously grotesque absence of foresight on the part of the early Internet protocol designers, who saw no need back in the day (late 1960’s or so) to design security and authentication into the whole systems at the lowest levels.

When the SMTP and other protocols were developed, the Internet and its predecessors were basically a research tool for the universities and other research organizations. There was no real need at the time for fancy authentication; screwing around would make your sysadmin cranky, which was a pretty good disincentive at the time. It’s doubtful that the early designers had any idea what their invention of the Internet would morph into.

And those of use who were using the Internet before the unwashed mob joined us have rued and regretted it almost every day since.

See also Eternal September.

Understood. . . .

. . . and agreed. (Speaking as one who used Usenet in the mid-1980’s, when it was still limited to a more washed sort of mob.)