How do spammers do this?

I’ve been receiving these spam emails trying to sell me viagra and when I check the full header of the email it appears as thought the source is myself! WTF?? I’m sure my email password has not been compromised, so how the hell do they make it look like I’m the sender? And how can I stop them? Here is the header:
From : <**MY NAME[/B]>
Sent : Wednesday, August 8, 2007 5:22 PM
To : <MY>
Subject : RE: Get ready for XXX in 15 min

| | | Inbox

MIME-Version: 1.0
X-Originating-IP: []
X-Originating-Email: MY]
X-Sender:**MY NAME[/B]
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.2668); Wed, 8 Aug 2007 10:22:20 -0700
Received: (qmail 10121 by uid 360); Wed, 8 Aug 2007 12:22:17 -0600
X-Message-Delivery: Vj0zLjQuMDt1cz0wO2k9MDtsPTA7YT0w
X-Message-Info: 6sSXyD95QpV9UeeikfoOkcYrcJ/A5o7Qri5OTKiOxFJs0wwBTDtFE1C1fvGKB926E23LD/ihQSc=
Return-Path: MY
X-OriginalArrivalTime: 08 Aug 2007 17:22:20.0368 (UTC) FILETIME=[AD1E1500:01C7D9E0]

I have no answer, but the coding was driving me crazy, so I patched it:

The answer is that in most cases, the ‘from’ field in the email header isn’t validated, so when the email message is created, the spammer can put whatever he likes in there - the message will still (in most cases) be accepted. - I don’t think it even has to be a properly-formed email address in some contexts.

As Mangetout says, those fields are provided by the sender; when you send an email, your email program inserts your email address (or one of your choice, check for a “Return Address” field if you want to change yours) in those fields.

As the spammer is setting up their own software to send email, they can set it to whatever they like. I occasionally email myself, so it removes one of the pieces of information I could possibly filter on. Basically it’s the email equivalent of me posting:

You didn’t type it, but there’s nothing in the email (or bb) protocol right now preventing me from claiming so.

There are some ideas for solutions floating around, but most would require everyone switching to something new. Since everybody already uses the current implementation of email, we’re kind of stuck with it for the foreseeable future.

It’s pretty universal for spam to have a faked return address - anyone can enter anyone else’s e-mail address into their e-mail software to be shown as the From: address.

It seems the mail was sent through the server of Harrisonville Telephone (in Waterloo, Illinois) - they probably have got a misconfigured mail server that is used by spammers as an open relay. The IP address shown as “X-Originating-IP” is totally fake - the IP address cannot exist.

What you can do: nothing, essentially.
If you get a number of non-delivery reports from people you don’t know in the next hours it means they also sent spam to other people using your address at sender.

Sorry about the sloppy coding, Trunk. Thanks for the repair work.
So, Mangetout, if I put your name in the from field of an outgoing message and send it to someone it will look like it came from you? That’s just so wrong. Way too much potential for evil deeds. There’s gotta be a law against that!

When email protocol was invented, it was used between adminstrators or academic/government users and the concept of spam was completely unknown. It was assumed that email users were reasonably mature and responsible. Then the fit hit the shan.

Slight hijack, but why do they do this?

Are they supposing your thinking is thus: Hey, this email is from me. Well, I’m a trustworthy chap, so I should buy some of this fine stuff I’m promoting!


What were they thinking!
Well, I can live with the spam as it usually ends up in the junk mail folder. It just unnerves me to think that someone could be using my email address to something creepy or illegal.
Thaks for the explanations all.

The alternative being that they use their own address? For all that they love to send us mail, most spammers would prefer we were not able to talk to/contact them directly.

As others have pointed out this situation arises because the original email protocols have no verification for sender once its in the system. There are numerous solutions for this issue, but when everyone in the world uses the current system, its hard to move to a newer and better one.

Well no, the alternative being that they use a fake address. Maybe even one that might help their email look legit. i don’t know, or something. :stuck_out_tongue:

One of the simplest spam filtering methods is to add a spammer’s address to a blocklist. If you add such an address as given in the OP to your blocklist you are blocking email from yourself. Many people, myself included, send email to myself as a reminder method. Also in these days of huge free webmail services, you can “store” stuff in your webmail account. (I also use a “From” address on many of my accounts that are set to a particular account. So I am not always sending to/from the same actual account. E.g., I might forward something sent to one account to another, but the “From” on the first account is the same as the “To” on the second.)

If you block yourself, you lose functionality.

They have to use some address. Obviously, they don’t want to use their own address.

Using your own address has a few advantages
[ul][li]You won’t automatically mentally filter it as spam (as easily) because you’re used to seeing your own address.[/li][li]If the email bounces somewhere, the bounce will go to you.[/li]It makes their mail scripts marginally simpler. No need to have two lists of addresses when one will do.[/ul]