It’s not actually being sent from my account, but I know there’s spam out in the world being masked and showing up in people’s inboxes as being from spamityspam@[mydomain].com. Very occasionally I’m unable to send someone a message as their servers have blocked my domain because of this. Occasionally I get spam “returned” to my inbox as being unable to send, like so:
Now, I categorically did not send that, and have never, to my knowledge, discussed the selling or purchasing of any erectile dysfunction medications, online or off. I also don’t recognize any of the other information contained in the header.
Is there anything I can do to stop this kind of thing?
Odds are, the spam isn’t being sent from your domain. The spammer’s just putting your domain name in the “sent from” box. And no, there’s nothing you can do about it.
I get a lot of spam bounces to my domain as well. I just set GMail to forward emails that complain about it into my spam folder. Nothing I can do about it, so why bother reading it?
I realize that what I said may not be crystal clear
The spf record says “These server(s) are authorized to send from my domain”, and then receiving mail servers can (optionally) check the spf record to see if the mail was sent from the right server. It doesn’t stop the mail getting sent or rejected, but it can stop your domain getting flagged as a spammer.
This is the equivalent of someone putting your name as the return address on a letter that someone else is sending, and it’s just as impossible to prevent.
It’s called back scattering (or backscattering). I’ve been the victim of it as well. There is apparently little or nothing you can do about it - at least not once it’s happened.
When you first register your domain and create your website, you can take some precautions to lessen the risk of it happening. The point is to eliminate any plain text reference to your domain anywhere on your site, because this makes it easy for spiders and bots to harvest your domain name. If you must include a reference to your own domain, include extraneous characters and tell human readers to ignore them e.g. contact john@mydomainxxx.com (but delete the xxx bit). Humans can do this easily, spiders and bots can’t do it. Or only include your domain name embedded in a graphic. This isn’t the perfect solution, but it eliminates one common source of the problem.
The same thing can happen with regular postal mail, too, you know.
A few years ago, we had a situation where some cowardly bigot would send crude anti-gay letters to any person mentioned in the newspaper as being gay, saying anything positive about a gay person, law enforcement people who arrested or prosecuted any gay bashers, etc. In the return address spot on the mailing envelope, he would put the address of someone else, often a local black or native american organization, or the home address of a community leader in one of those groups.
Besides hiding his own address, he was apparently trying to incite bad feelings between various Twin Cities minority groups.
So using a false return address is not new to Internet spam!
On the other hand, users can’t click on such links (if you make them so they can, the robot can harvest the actual address), which makes them a lot less useful for actual businesses. Relying on your customers to *type *a URL, or carefully delete characters out of an email address in their “send” line, regardless of how short or simple, is a good way to reduce your customer base. Some won’t be able to figure out how to do it, others won’t be bothered, and some won’t even notice that they have to, and will end up sending their messages nowhere. Plus, it makes you look like a fly-by-night business that can’t afford a real spam filter (or worse, doesn’t know how to use one). So it depends on exactly what the domain name is used for whether this greeking of addresses is a good idea.
