26

We've starting to receive bounced spam messages and the sender is one of our email address. We know that we don't send spam from that address. We've tried changing the password but we're still receiving these bounced emails.

Note: This email account is not configured in an email client. We only access it through the browser, using HTTPS.

How do we prevent spammers from using our email address to send spam? I've googled around and almost every website says that forging the "From" address is pretty easy using an email client and it is impossible to stop these kind of spammers.

Note: We're using the email functionality in a shared hosting account, not hosting an email server ourselves. Even the tech support says Not a whole lot we can do about stopping that.

hsym
  • 1,003
  • 3
  • 14
  • 26
  • 6
    You sign your emails with your signed GPG / PGP key, then the recipient can verify your identity. – Tom O'Connor Mar 21 '11 at 10:28
  • The sender is probably not one of you email addresses. Its supplying an incorrect email address. – Barfieldmv Mar 21 '11 at 13:43
  • I've had the same problem today. What was weird, though, is that all the recipients were from my contacts (people I had received email from before). Any reason to worry? – Franz Mar 21 '11 at 14:20
  • 1
    SMTP is modeled on the postal system. When you send a letter, you can put any return address you want on the envelope (or none at all). In hindsight, some people think the postal analogy is a bad one, since there's no incremental cost to most end users for sending mail. –  Mar 21 '11 at 14:36
  • 3
    You should have the domain implement SPF and DKIM, as well as signing your emails with GPG or S/MIME. This will not prevent spammers from pretending to be you, but it will reduce the risk of someone claiming that it is you who sent the spam, as all your legitimate mails will prove that they are sent by you and no-one else. – MattBianco Mar 22 '11 at 10:40
  • 1
    @Franz: someone probably got a virus that looked through your or someone elses address book to find victims. – MattBianco Mar 22 '11 at 10:41
  • I'm having the same problem with a shared-hosting email account. From the answers here I'm guessing changing hosts will not solve the problem? – Cai Aug 11 '16 at 08:32

7 Answers7

36

Short Answer: You can't.

For more info, this gives a basic explaination as to why.

This shows how easy it is to do. It's just the nature of SMTP, it's insecure!

Just because an email appears to come from somebody, it doesn't mean it did.

Bryan
  • 7,538
  • 15
  • 68
  • 92
  • +1 for the link explaining that spoofing and someone else's reply-to could be the cause. – Jeff Mar 21 '11 at 13:47
  • 2
    +1: As an exercise in email, I learned how to spoof sender addresses. There's really nothing anyone else can do about it. – John Mar 21 '11 at 15:11
  • 9
    Its just like snail mail. Anyone can write your address on the envelope to make it look like you sent it, but it doesn't mean you did. In email its just changing a few fields of data to have the same effect. – MaQleod Mar 21 '11 at 16:07
  • Given (infinite) time, you could stop it by contacting everybody that receive email, and help them implementing SPF and DKIM verification as well as other spam prevention techniques such as greylisting, DCC, Razor and bayesian filtering. The problem won't go away until email is redesigned, or everybody agrees that spam is a nuisance worth fighting. – MattBianco Mar 22 '11 at 10:47
26

You could set up SPF records for your email domains, however this will only have a limited effect, if any.

jamespo
  • 1,698
  • 12
  • 12
  • 9
    SPF is supposed to be the solution to this problem, but it is only effective if the receiving mail server has been setup to use SPF records. The more it is implemented, the more effective it will become. – ManiacZX Mar 21 '11 at 09:04
  • 2
    SPF also breaks some fundamental parts of the way email systems work. Before adding it it is worth bearing in mind it may stop some of your legitimate mail from being delivered. (and obviously restrict where you can send mail from) – JamesRyan Mar 21 '11 at 10:26
  • 4
    @JamesRyan, SPF itself doesn't break anything. System **requiring** its use are what break things. – John Gardeniers Mar 21 '11 at 10:52
  • 1
    SPF breaks store and forward. You can not make exceptions for when you want to do this, on the machine which is filtering based on SPF, because how can it know if that is valid or a spoofer? Very few systems require SPF because its takeup is not widespread, but if you have the wrong SPF record for what you are doing then many systems **will** block you and rightly so. Because what is the point of having SPF if everyone is going to ignore it and pass on the mail anyway? – JamesRyan Mar 21 '11 at 11:31
  • 1
    @JamesRyan, SPF doesn't break store and forward at all. Re-read my previous comment. – John Gardeniers Mar 21 '11 at 20:33
  • 1
    It does break store and forward because the server storing and forwarding is not the one assesing that the the SPF record matches. Your comment is incorrect, practically no servers require you to have an SPF record, but when you do then you have opted in to a broken system. – JamesRyan Mar 21 '11 at 21:00
  • The problem with SPF and forwarding is the lack of a method for only doing the lookup at the first delivery, and trusting that first lookup. DKIM (or plain PGP) should work for store and forward. – MattBianco Mar 22 '11 at 10:51
12

Tech support is wrong. There is nothing you can do to stop someone else sending email as if it came from your account(s). Only the receiving system can do anything about it. Measures such as SPF, DKIM and the like help the receiving systems validate senders but such things are not a requirement by any standards and those systems which enforce such things are in fact very broken.

If mail systems did proper checks of the headers to determine whether or not the sender address has been spoofed they could either send an NDR or just quietly drop it based on the results. This wouldn't have any effect on the problem of sender spoofing but would stop us receiving NDRs for messages we didn't send.

For now, just get used to it. It's a normal part of daily life on the Internet and is unlikely to go away any time soon.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
  • This is only half true. A legitimate sender could send something in their e-mails which [proves their identity](http://blogs.msdn.com/b/mvpawardprogram/archive/2012/04/09/use-digital-ids-certificates-to-prove-your-identity-in-outlook-email-transactions.aspx). – Alex W Oct 09 '14 at 17:49
6

As others have said, you can't stop the spammer from using your address or do much to prevent the receiver from sending you a bounce. Those receiving servers are already misconfigured at least one way: they should have rejected the message without accepting it. That would make it the sender's job to produce a bounce, which the spam software is not going to do. Instead they accept it and later reject it with a bounce. It is probably too much to hope that they'll implement SPF or similar systems.

With SpamAssassin you can use http://wiki.apache.org/spamassassin/VBounceRuleset and set the score for ANY_BOUNCE_MESSAGE (somewhat misleading name: it's any fake bounce message) to a nonzero value. That will save you from having to see the bounces in your inbox. It appears to be at least somewhat effective: In the last 72 hours I've classified 44 messages (out of 11368 spam messages) to my personal address as ANY_BOUNCE_MESSAGE spam.

Ben Jackson
  • 438
  • 3
  • 7
3

You need to consider whether the spammer has sent the email from your address to a billion other addresses, or whether the spamming engine they used to send the email used the recipients own email address in an attempt to foil spam filters.

If the former, you may have a big problem with reputation (unless you actually are a Viagra salesperson). But I think the latter is more likely, and the solution to that is to look at your own spam filtering solution.

How can you tell which has happened? Are you (or your postmaster) also getting bounce messages containing the spam as an attachment or fragment in the body? If so, then your email address has definitely been used to send the message to many recipients. If you aren't getting bounces, it doesn't guarantee your address wasn't used, but it suggests it either wasn't, or the message didn't go to that many people.

dunxd
  • 9,482
  • 21
  • 80
  • 117
  • I think this is probably the most important answer here. Almost every email that I see in my Gmail Spam box that appears to be sent from me is also only addressed to me. Not a single bounce-back to postmaster@mydomain. – Matthew Schinckel Mar 22 '11 at 10:39
1

As many correct answers express you can't avoid it (unfortunately!), other answers point out correctly that you could talk to authorities, you should but this things are complicated and take time and money.

The only thing I would like add then is that you should instruct your clients and providers, tell them about this situation and that there is nothing you really can do about it. Ask them bo be aware and to contact you directly if they have any suspicion.

Try to find out what possible vulnerabilities they could be searching for? i.e trying to get passwords or credit cards, warn the people around you about this specifically and how are the usual procedures so that they can be suspicious.

Good luck!

Trufa
  • 123
  • 7
0

Sue them. Sending spam messages and impersonation is illegal, so trace the spammers and report them to the police.

Peter Smit
  • 1,649
  • 4
  • 21
  • 37
  • 5
    Maybe if you track their IP address using a GUI interface written in Visual Basic... – sourcenouveau Mar 21 '11 at 15:54
  • Sue them? For what? Impersonation isn't illegal any place I'm familiar with. If it was then about 100 million Elvis impersonators around the world would be in deep doo doo. – John Gardeniers Mar 21 '11 at 20:36
  • @John Try to sign a letter as somebody else and see what happens... – Peter Smit Mar 21 '11 at 21:27
  • @all, this answers was a small bit of a joke. In principal, it is the only way to get governments really pursuing this, if we all go to the police and report our spam messages. Other answers have already pointed out that all technical measures also fail. – Peter Smit Mar 21 '11 at 21:28