It seems some spammer is using my work email account as the “from” address in their spam. I’m getting about 1 “undeliverable” notice a minute. Our IT department says there is nothing they can do, as the messages are not actually coming from our servers.
Why do they use real email addresses for the “from” field? I understand why they do not use thier own address. Do they use real addresses just to be dicks, or is there a technical reason?
I take it this will be follwed by a whole bunch of people flaming me?
I believe that the point to backscatter spam is to send spam to you: ie they’re deliberately sending to undeliverable addresses so that the mailserver will send the mail to you.
They use your email addresss so YOU get the spam. It’s a way around spam filters, since most filters don’t care about bounced email–quite the opposite, in fact; it assumes you want to know about an undeliverable email “you” sent.
We get these every so often at my work (we run our own mail servers) and there really is nothing you can do about it, so your IT guy is right.
We never get any flames from real people as a result. You’ll get a ton of undeliverables and bounces for maybe an hour and then a smattering over the next few days or so as the various other SMTP servers try and fail.
There’s no real technical reason for using your address, other than they have it and it might make it through easier if it’s whitelisted somewhere or rather their domain is blacklisted.
But I’m only getting notices that the spam was undeliverable, and automated messages from people who only accept email from approved senders. I’m not getting any of the content of the message that was sent out in my name. There’s nothing a spammer could profit from in the messages I’m getting.
I assume they use other people’s accounts as the “from” address as they don’t want to be traced and to avoid having to deal with deleting a ton of “undeliverable” notices.
Spamming is not done by thorough competent people for the most part. Some mail servers will bounce the whole email some wont. The spammers just sent the email to a setup that does not bounce the message. Perhaps in the past it did send the body of the email in the bounce reply.
They aren’t targeted for you (for instance, you don’t usually get a body of the message, just a subject). What usually happens is that the spammer uses your e-mail address (chosen at random) as the From: address of million of spam messages. Some e-mail servers then, as a courtesy, send a nondelivery report (NDR) message to the name in the From: field.
Thus:
Spammer (using your name) ----> Bad e-mail address --> Server sends warning --> You
It’s not flagged as spam because NDR messages can be very useful (if you send to a wrong e-mail address, they let you know). Machines cannot differentiate between legitimate NDRs and those from spammers, so the choices are to let them all through, or bounce them all.
Many servers these days turn off the NDR features (they can also be used to harvest live e-mail addresses by spammers*), but many do not.
No one is actually seeing the messages that bounce back to you, but they will see your email addresses if they receive the spam. However, most spam filter software does a better job of blocking the messages than the NDRs.
The mailstorm dies out after a day or two, as the spammers choose another address.
*The spammer sends a million random e-mail messages to a domain, then looks for those that didn’t generate an NDR message. Those, then, are legit.
Interesting. The messages slowed down drastically, but we’re up to 110 or so “undeliverable” notices, all from different servers from all over the world, and none of them have any content. It seems the standard is now not to bounce the content.
The server can’t, but your email client ought to be able to. If you’re like 90+% of email users, you use only one email client per address, so it would be trivial for a client to only show you bounce messages that correspond to emails you’ve actually sent. I’m surprised more don’t do this, or at least have it as an option.
You might ask your IT folks to look into systems like SPF or DKIM. They won’t have an immediate effect on this problem, but many large email servers (e.g. yahoo) are configured such that when they process mail from a domain that uses SPF or DKIM, messages that fail the checks are rejected back to the machine submitting them, rather than being accepted and then generating a bounce message.
To oversimplify a little, SPF works by creating DNS records which specify which computers are allowed to send mail from your domain, and DKIM works by having your mail server put a digital signature on your outgoing mail and having the public key for the signature available via DNS records. With both systems, big mail handlers on the internet have a way of being reasonably sure a message that says it’s from your domain is really from your domain.