Blog

That spam did not come from your email

hacker-hand

It can happen to anyone who has an email address, and it’s likely to happen to folks whose email addresses have been around for awhile and are publicly visible: You’ve never sent a spam message, but suddenly your inbox is filled with angry complaints and bounced email notifications claiming that you did.

How did this happen?

A spammer chose your email address to insert into the “From” spot in a spam email campaign. Spam almost never originates where it says it does. Spammers send spam that says it’s from someone other than the real sender. And, a spammer usually picks an email address on a whim to insert into the “From” designator in the spam email’s source code. If your email address is the one chosen by a spammer, you’ll likely be receiving bounce notices for a few months until the spammer moves on and uses someone else’s email address as the false sender instead of yours.

Spam is like carpet bombing — a spam campaign is sent to thousands or even millions of non-existent email addresses, in the hope that even a few of those addresses are real. So, when your email address is listed as the sender, you’ll start receiving all the notices from email services that receive all those spam messages “from you” to all those non-existent email addresses.

A hacker? No, just a spammer

Chances are, no one has hacked into your email account, and no one is using anything of yours to send email. If that happened, the email would say it was from somebody else. Instead, all a spammer has to do is write your email address in the source code of a spam message.

Email technology has been around since the 1960s and hasn’t changed much since then. It is inherently insecure and unreliable. It’s easy for anyone who understands the underlying mechanics of email to spoof a message to make it appear that it came from you, or me, or anyone.

The email programs that you and I use, such as Apple Mail, Gmail, and Windows Mail, do not allow us to write the part of an email message’s source code that spammers use to spoof email senders in this way. But spammers use custom-programmed email software available on the black market that does allow it. They can also do this using simple Unix commands.

So, it’s like a nasty kind of lottery. This happened to me about eight years ago, and for about two months I received between 300 and 1,000 spam messages a day. Then, the wave moved on and things went back to normal.

Another problem with this is that average spam filters don’t always work very well against these bounce notices, because the bounce notices are not actually spam. They’re legitimate messages telling you that a spam message has bounced. A “bounced” email message is equivalent to a postal mail letter that has been returned to the sender.

Imagine that a junk mail factory sent out millions of flyers to random addresses all over the world, and put your return address on the envelope, and sent them with first class postage. You’d suddenly receive hundreds or even thousands of returned, undeliverable mail at that return address, even though you never sent out a single letter.

What you can do about it

To deal with this situation, you could create a rule in your mail program that automatically throws out any message with “bounce” in the subject or in the sender’s email address. That will toss a lot of the bounce notices. But unfortunately, the only thing we can do, ultimately, is wait for the spammer to move on to using someone else’s email address.

Fortunately, internet service providers generally understand that this is how spam works, so you won’t likely ever be penalized for sending spam as a result of a spammer spoofing your email address into the “From” blank. But you might get angry emails from people who don’t understand this aspect of the nature of spam. Feel free to send them here for an explanation if you like.

Scroll to Top