Can email spoofing be prevented?

My wife's email account was hacked and the attacker got her address book. I don't know if the attack was on her local email client (Thunderbird running on Windows 7) or on the server (hosted at GoDaddy). Either way, the contact list data is out there and I can't undo that. I have changed all passwords, updated security, etc., and I don't think there have been any further intrusions.

However, whoever did this has been sending huge amounts of spam, using my wife's name as the "sender". They go quiet for a while, and then so often I wake up to a few dozen emails from my wife, which of course she didn't really send, and every other person in her address book gets these as well. And because her address book was full of many dead addresses, my wife gets hundreds of "Mail Delivery Failed" bounceback messages, as well as hundreds of emails rejected by the receiving domain as spam. The people in her contact list are getting angry, and it's becoming a real problem.

I have asked GoDaddy about this, and they say that any person A can send an email to b@bbb.com claiming to be c@ccc.com, and there is no email infrastructure in place to verify that person A is authorized to send an email from ccc.com. Consequently, there's absolutely nothing I can do about this, and this spammer will be able to harass people, damage my wife's reputation, get her email blacklisted, etc. and there is no way to stop it.

Is this true, or is there anything I can do to stop these spammers, or at lease mitigate the damage?

Joshua Frank

Posted 2015-12-04T15:03:26.833

Reputation: 1 431

27Yes that's true. – Run CMD – 2015-12-04T15:05:01.550

1short answer, yes, long answer, no but it must be set up in advance, and requires advanced configuration both on the source account, and in the clients of every reciepient. The process involves using encryption and digital signatures to protect and verify the contents, as well as authenticate the sender. Look into Gnu Privacy Guard if you are interested, but it is somewhat advanced stuff, especially to get your reciepients set up. – Frank Thomas – 2015-12-04T15:25:31.933

14I can throw an envelope in the mail that says it's from the President if I want to. Heck, it can say it's from God. Talk to the email administrator for the domain her email address is with. – David Schwartz – 2015-12-04T19:14:29.960

@DavidSchwartz: what should I ask them? I know that you can claim to be God, but is there anything the host can do that would provide any kind of authentication for people making claims like that? – Joshua Frank – 2015-12-04T19:19:36.227

7Your wife has a virus on her computer. It wasn't a "hacker"... this is very common for viruses to access your outlook/thunderbird address book and spam everyone on it. Fix the virus, or it'll keep happening. – SnakeDoc – 2015-12-04T19:39:01.167

4The person being spoofed cannot stop it (unfortunately for you), but the recipients can use some tools to attempt to reduce the amount of spoofed mail they receive. – Todd Wilcox – 2015-12-04T20:10:49.370

1@JoshuaFrank Hard to know without more context. There are things like SPF and DKIM. Talk to them and get competent email administrators working on the problem. They'll have all kinds of information we don't, such as how the domain is currently set up, the headers from the emails, and so on. – David Schwartz – 2015-12-04T20:37:09.007

@SnakeDoc: her machine was dying anyway, so I got her a brand new one, and I think that fixed it. – Joshua Frank – 2015-12-04T21:06:22.907

4When you receive one of those e-mails, check the full headers of the e-mail, and of those, check the "Received:" headers. It will give you an indication of whether the e-mails are actually coming from someone else, or from your wife's computer (due to a virus on that computer). – jcaron – 2015-12-05T10:26:46.970

First of all, I'd suggest to change domain provider. Your's doesn't sound reliable: their server should be able to tell if it actually sent an email or not (and do the right redirection). – algiogia – 2015-12-07T09:56:41.097

Ragnarok it. Archive her e-mail account, create a new one, let people know they should block the old one (as she'll never send another e-mail from it) and start afresh in a new land. – deworde – 2015-12-07T16:34:55.380

@deworde: That will still push the burden of dealing with the problem to a bunch of mostly nontechnical people who won't know what to do, and then we won't even know when it's happening because we won't get the bouncebacks. I'm trying to stop it from happening in the first place. – Joshua Frank – 2015-12-07T17:28:23.947

1@JoshuaFrank Oh, I understand that, but given the existing answers and what I understand of the SMTP protocol, your wife's account simply isn't involved in the process at this point; it's just a line of text in some metadata, that could read "banana@instahack.com" if they thought that would get the work done. Any validation has to be done on the recipient side, and simply blocking an e-mail address is arguably easier than the alternatives. I can tell my grandma how to mark my old e-mail as "always spam", I can't get her to set up DKIM against my domain. – deworde – 2015-12-07T22:26:00.673

@deworde:But these people are mostly at aol.com or gmail.com, and surely those guys can do spoof detection with some accuracy? – Joshua Frank – 2015-12-08T14:11:45.953

Answers

It is indeed very hard to solve the problem of e-mail spoofing in a general way, due to the simple and highly distributed way the protocol is designed.

The physical letter analogy holds up quite well in this example: I can put a letter into the post, and write on it that it comes from your house; I don't need to have broken into your house to do this, just drop it in a public post box. And if the post is marked "return to sender" it may well end up being "returned" to you, even though you didn't write it. The same happens with e-mail: anybody can deliver a message into the system, with a To and a From address; the server you send mail from may not be the same one you receive mail to, and there's no centralised service verifying your identity when you drop a message into the system.

There are two general approaches to solving this:

Digital signatures are a way of including in a message a kind of signature or seal which only the real sender knows how to generate (using a private key which they never share). The recipient can then verify the signature using a public key which mathematically proves who produced the signature (and that it matches the received text).

This is not, however, very useful for your example, because it doesn't prevent the messages being delivered, and requires recipients to know the public key, or a verified location to retrieve it.

Domain-based sender verification systems have been developed to try to prevent spam. These store data in the DNS (directory lookup) for the domain of the address (the part after the @) which allow a receiving system to verify if a mail is legitimate. One system, SPF, lists which systems are allowed to send mail on behalf of that domain; another, DKIM, stores public keys used similar to the digital signature approach above, but for verifying the transmitting system, rather than the actual sender.

(To slightly over-extend the physical letter analogy, SPF is like publicly saying "I only post letters using this post box" and DKIM is like publicly saying "I always send mail from this post office which prints a tamper-evident label for me".)

These would be more relevant to your case - if your wife were using a custom domain, an appropriate SPF or DKIM setup would cause many systems to silently reject mail which she had not sent herself (or mark it as spam, without attributing it to her). However, it only works at the domain level, not the individual address, and some recipient systems may not check the records.

IMSoP

Posted 2015-12-04T15:03:26.833

Reputation: 638

The domain level would be sufficient for me, since the email address in question is on a custom domain, and is in fact the only one. But how reliable are these measures, and can they be circumvented by spammers? Do most major ISPs and email providers use SPF and DKIM lookups, or are they more like proposals without wide adoption? – Joshua Frank – 2015-12-04T19:10:55.397

4@JoshuaFrank - Almost every legitimate company properly configures (SPF, DKIM, ect) to mitigate the problems you describe. It really depends on if you have the technical skills to do it and the resources to implement those solutions. – Ramhound – 2015-12-04T20:18:27.320

4The key question is whether the recipient service verifies the SPF / DKIM headers, and what they do with the information. Luckily many people now use webmail services like Hotmail/Outlook.com and GMail, which tend to be quite good at that kind of thing, but some smaller ISPs might not have very good filtering, in which case there's nothing you can do to stop them receiving the mail. Still, worth a try - SPF is generally pretty easy to set up. – IMSoP – 2015-12-04T22:57:11.570

@JoshuaFrank it is very difficult for a spammer to circumvent these messages - they would need to use the same provider that you use for sending email, which would make them trackable and is unlikely. SPF is widely adopted, however it is not universal, and where it is adopted it will often be used as a signal as to the likelihood of the message being spam, and will not guarantee non-delivery of spam by itself - but it can make a big difference. – davidgo – 2015-12-05T00:54:10.547

6+1. SPF, DKIM, and DMARC all combined together are an amazingly powerful weapon when systems actually bother listening to them. – Kaz Wolfe – 2015-12-06T13:49:08.103

Doesn't the fact that OP's wife receives delivery reports mean than the hacker is using her email account to send spam? – Dmitry Grigoryev – 2015-12-07T12:30:48.750

2@DmitryGrigoryev Short answer: no. Long answer: see new paragraph added at top of answer. – IMSoP – 2015-12-07T13:40:07.317

@DmitryGrigoryev: No, all it means is that the spammer spoofed the MAIL FROM address in the SMTP protocol negotiation, in addition to the From: MIME header. – Ben Voigt – 2015-12-07T16:08:30.010

Emailing all the live contacts in her address book & telling them about the email spam problems would probably help. And now's as good a time as any to remove any dead contacts from the list.

Using PGP/GPG in the future would be a near-perfect solution for private users & senders to verify for themselves that an email is actually sent from the sender, and could hide/encrypt the contents of messages too so they're only seen by the intended receiver. But, though PGP has been available for decades now, it's not universally super easy for anyone to start using, and web-only mail (like Gmail, etc) make it hard to keep the secret parts truly secret to just you and still easy to use from anywhere...

Email Authentication

There are things that can be done to authenticate to email receivers (at least some, like Yahoo & Google & others, that "represent a high percentage of Internet email users" - DMARC FAQ) that a message that says it's from your domain really is from your domain. They use DMARK which "allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message" - DMARC FAQ.

Changing to a different email address could help in the short term too, then you & everyone else could safely ignore / "mark as spam" all further messages from the spammers. But even if that's not your main concern since they're "obviously super-spammy spam" and no one's being fooled, you probably want to look into stopping the "from:" line from being easily spoofed, since if enough users always "mark as spam" your wife's business email, spam filters will probably start throwing out all messages from that address.

Email Authentication should help the sending & receiving mail servers to verifying messages are actually sent from who they say they're from. I've found some info on Gmail, since it's one of "the big three" email companies it's probably a good place to start. Even switching email providers to one that's already set up / authenticated, like Gmail for Business should help & might be easier, but shouldn't be necessary, although judging by your response from GoDaddy they might not be your dream host.

Gmail's help on Email Authentiation has some advice for sending domains:

If you’re a sending domain

Messages with DKIM signatures use a key to sign messages. Messages signed with short keys can be easily spoofed (see http://www.kb.cert.org/vuls/id/268267), so a message signed with a short key is no longer an indication that the message is properly authenticated. To best protect our users, Gmail will begin treating emails signed with less than 1024-bit keys as unsigned, starting in January 2013. We highly recommend that all senders using short keys switch to RSA keys that are at least 1024-bits long. Authentication is highly recommended for every mail sender to ensure that your messages are correctly classified. For other recommendations see our Bulk Senders Guidelines.

Authentication by itself is not enough to guarantee your messages can be delivered, as spammers can also authenticate mail. Gmail combines user reports and other signals, with authentication information, when classifying messages.

Similarly, the fact that a message is unauthenticated isn’t enough to classify it as spam, because some senders don’t authenticate their mail or because authentication breaks in some cases (for example, when messages are sent to mailing lists).

Learn more about how you can create a policy to help control unauthenticated mail from your domain.

The last link Control unauthenticated mail from your domain is particularly relevant:

To help fight spam and abuse, Gmail uses email authentication to verify if a message was actually sent from the address it appears to be sent from. As part of the DMARC initiative, Google allows domain owners to help define how we handle unauthenticated messages that falsely claim to be from your domain.

What you can do

Domain owners can publish a policy telling Gmail and other participating email providers how to handle messages that are sent from your domain but aren’t authenticated. By defining a policy, you can help combat phishing to protect users and your reputation.

On the DMARC website, learn how to publish your policy, or see the instructions for Google Apps domains.

Here are some things to keep in mind:

You'll receive a daily report from each participating email provider so you can see how often your emails are authenticated and how often invalid emails are identified.

You might want to adjust your policy as you learn from the data in these reports. For example, you might adjust your actionable policies from “monitor” to “quarantine” to “reject” as you become more confident that your own messages will all be authenticated.

Your policy can be strict or relaxed. For example, eBay and PayPal publish a policy requiring all of their mail to be authenticated in order to appear in someone's inbox. In accordance with their policy, Google rejects all messages from eBay or PayPal that aren’t authenticated.

More about DMARC

DMARC.org was formed to allow email senders to influence unauthenticated mail by publishing their preferences in a discoverable and flexible policy. It also enables participating email providers to provide reports so that senders can improve and monitor their authentication infrastructure.

Google is participating in DMARC along with other email domains like AOL, Comcast, Hotmail, and Yahoo! Mail. In addition, senders like Bank of America, Facebook, Fidelity, LinkedIn, and Paypal have already published policies for Google and other receivers to follow.

For more information, please refer to this post in the Official Gmail Blog.

Other helpful looking links:

Xen2050

Posted 2015-12-04T15:03:26.833

Reputation: 12 097

6Unfortunately, for most people, setting up PGP/GPG, and using it consistently enough that people can ignore unsigned messages, is probably not feasible - particularly because for this particular scenario each recipient needs to set up and understand the system in order to not be impacted by the existing spam. – IMSoP – 2015-12-04T17:26:59.967

5A simple way to verify that email is from your wife would be to have her email every one of her contacts, let them know about the attack and tell them "All legitimate mail from me in the future will have This really is Mary* in the subject line". More sophisticated users will set up a filter to reject mail that doesn't have that, basic users can manually delete mail that doesn't have that. This would be a very simple form of digital signature that even grandma could get the hang of. *Substitute your wife's name here. ;) – FreeMan – 2015-12-04T18:10:33.470

1The spam is very spammy, so there's no question that the emails aren't really coming from my wife, such that she should prove her humanness when writing a genuine email. The problem is that people are receiving the spam, and getting annoyed with my wife, even though it's not her fault. Requiring all recipients to be sophisticated enough to use PGP or create mail filters based on passphrases isn't really possible, and wouldn't stop the onslaught of the spam that's annoying them. – Joshua Frank – 2015-12-04T19:17:51.113

This is usually caused by a virus, so simply changing email addresses will have zero effect unless you remove the virus first! – SnakeDoc – 2015-12-04T19:39:50.900

@FreeMan except that anyone could duplicate the "signature" in the subject. With GPG, the private key used for signing messages is not distributed. – Nathan Osman – 2015-12-04T20:02:46.397

That's quite true, @NathanOsman (I did indicate that it was a very simple digital signature), however, This is really Mary has never been the subject line of a spam message I've received! This would make it very easy to write a rule/filter to delete any messages that weren't from the real sender. However, we're drifting OT from the original question... – FreeMan – 2015-12-04T20:09:03.320

Of course I'm assuming that you're NOT using a currently infected computer, that's step zero. And everyone really should use pgp/gpg, it's been literally decades but it's still not super easy to use all the time, and with web-only mail like Gmail et.al. there are more concerns about you keeping your secret key really secret. I've got an idea about getting emails authenticated with Gmail/google too, editing into answer – Xen2050 – 2015-12-06T13:35:14.220

What can be done depends on how much of the infrastructure you have control over, and whether you are using your own domain name or simply have an address under a domain controlled by somebody else.

If you have your own domain, it is easy to switch to a new email address under the same domain. Additionally you can set up DNS records to tell the world that all emails from your domain is supposed to be digitally signed. (SPF, DKIM, and DMARC are the terms to search for if this is the approach you want to take.)

You cannot expect everybody to verify these signatures, so even if you do setup DNS records indicating that email from your domain must be signed, there will still be abusers sending unsigned emails claiming to be from your domain and receivers accepting those unsigned emails.

If you do not control the domain, then changing the email address is not as easy, and you have little influence on whether DNS records are used to limit the ability to spoof the domain in outgoing emails.

The problem with spam messages using a spoofed source address causing bounces coming back to the legitimate address is at least in principle easy to solve.

You can record the Message-ID of all emails you are sending. All bounces need to include the Message-ID of the original message somewhere - otherwise the bounce is completely useless anyway, because that is what tells you which message got bounced. Any bounced message which does not contain a Message-ID you have previously send can be send straight to the spam folder or be rejected at receiving time (which has the nice benefit of pushing the problem one step closer to the source).

Bounces can be told apart from other emails by the MAIL From address. Bounces always have an empty MAIL From address, other emails never have an empty MAIL From address.

So if MAIL From is empty - and the DATA does not contain a Message-ID you previously send, the mail can be safely rejected.

That's the principle. Turning it into practice is a bit harder. First of all the infrastructure for outgoing and incoming emails may be separate, that makes it problematic for the infrastructure for incoming emails to always know about every Message-ID which has gone through the infrastructure for outgoing emails.

Additionally some providers insist on sending bounces that do not conform with common sense. For example I have seen providers sending bounces containing no information whatsoever about the original email which was bounced. My best recommendation for such useless bounces is to treat them as spam, even if they originate from an otherwise legitimate mail system.

Remember that whoever has obtained the list of email addresses can put any of the addresses as source address and any of the addresses as destination address. Thus unless you have additional information you can't be sure the leak even happened from your own system. It may be any of your contacts who leaked the list of addresses including yours.

The more you can figure out about which addresses are on the leaked list and which are not, the better you will be able to figure where it was leaked from. It might be you have already done this and concluded that the leak must have originated from your contact list since none of your contacts would have known all of the addresses confirmed to have been leaked.

My approach to that is to use my own domain and a separate email address under that domain for each contact I communicate with. I include the date of first communication with the contact in the mail address, such that it could look like kasperd@mdgwh.04.dec.2015.kasperd.net if I were to write an email to a new contact today. That approach obviously isn't for everybody, but for me it surely helps know exactly who has been leaking a list of email addresses where one of mine is on. It also means I can close the individual addresses such that only the person who leaked my address has to update their contact information for me.

kasperd

Posted 2015-12-04T15:03:26.833

Reputation: 2 691

The example address mentioned in my answer now received its first spam message. The address will be discontinued momentarily. This gives one data point indicating how quickly spammers pick up addresses posted on superuser.com. – kasperd – 2015-12-13T11:39:04.483

Yes and no.

Nothing stops me from writing an email with your address as a sender. This is not different from regular paper mail where I also can put a destination address on the front of the envelope and a (any!) return address on the back of the envelope.

However, you can add a digital signature to proof that you are the sender (see PGP and Xen's answer). And mail providers are also starting to implement safety checks for communication between mail servers. (See TLS - Transport Layer Security). But mail is build on the old protocols where everybody behaved and cooperated nicely. It was not designed for the big bad world.

Hennes

Posted 2015-12-04T15:03:26.833

Reputation: 60 739

2Some of the smartest people have said it best. Email was not designed to send personal information. Email was designed to replace a physical letter, a letter that while is sealed, the sender could be forged. While technology allows us to know precisely where that physical letter was sent from, through an investigation, the end user doesn't have access to that information. In other words I could send somebody a physical letter, set the return address to anything I want, and the recipient would not know who actually sent it. (continued in next comment) – Ramhound – 2015-12-04T15:51:52.833

Encrypting the contents of an email solves the first major problem with email, that it is sent in plain text, and anyone with the ability to intercept the email, could read the contents of it. In the world of physical letters this would be solved by physically sealing the envelope, so you know, if anyone intercepted it (or paying extra for any number of services for physical personal delivery). Of course this still does not change the fact the person sending the letter, can claim to be from anyone they want, just by saying so. – Ramhound – 2015-12-04T15:55:04.560

1@Ramhound - email wasn't so much designed to replace a physical letter, but a postcard, where everybody can read what is written, too. – Kevin Keane – 2015-12-05T21:26:30.507

@KevinKeane - You are arguing semantics. – Ramhound – 2015-12-05T23:57:39.723

@Ramhound - I realize that you were mostly focused on the return address, so you are right in that sense. In terms of protection of the content, though, an envelope is much like an email with PGP encrypted content: you can still see the sender and receiver, just not what they wrote to each other. But, yes, when it comes to the sender address forging, you are right, envelope and postcard are the same in that respect. – Kevin Keane – 2015-12-07T07:49:26.303

I know all of this. No; Need to inform me of anything unless I ask – Ramhound – 2015-12-07T11:25:45.270

You are approaching this incorrectly.

From years spent in the computer repair industry, I can tell you it's very unlikely there was any "hacking" going on here. It's far more likely your wife's computer has a virus, and that virus has accessed her Thunderbird address book.

This is fairly common. Usually the virus is sending the emails directly from the infected computer, so removing the virus will stop the spam emails -- they are not "spoofing" your wife's email address, they are your wife's email address.

Changing email addresses as suggested by another user is very unlikely to solve anything... especially if you enter it into Thunderbird on the same computer.

Download and run Combofix on your wife's computer.

http://www.bleepingcomputer.com/download/combofix/

There are instructions on how to run it at: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Essentially, download it, run it as administrator (right-click --> run as administrator), click OK/Yes/Continue to the prompts, then walk away for 30 minutes to an hour. It will run for a long while, and likely reboot the computer (make sure you log back in for it to continue working).

You will know it's done when a full screen notepad is open with a bunch of text. Close it, reboot once more, and you likely solved your problem... only time will tell.

SnakeDoc

Posted 2015-12-04T15:03:26.833

Reputation: 705

"they are your wife's email address." - Is this perhaps missing a word? – Ramhound – 2015-12-04T20:19:24.650

@Ramhound No, I was attempting to convey "they" are not spoofing the email address, they (the virus) is/are literally sending as the email address via the Thunderbird client on the computer (even if it's closed). – SnakeDoc – 2015-12-04T20:26:08.233

Doing that requires the virus to know the password which while possible is actually is unusual and not often done – Ramhound – 2015-12-04T20:51:05.237

@SnakeDoc: I'm not sure this could be right, because it happens even when the machine is off. And it's a different machine than when this first started, with better security, so I hope I don't have the same virus. But I'll try combofix anyway, just to be safe. Thanks for the suggestion. – Joshua Frank – 2015-12-04T21:09:16.287

@Ramhound In my experience, no, the virus is literally using thunderbirds "behind the scenes" api to send email. of course, it's safer to change the password after you remove the virus. – SnakeDoc – 2015-12-04T21:09:35.677

@JoshuaFrank if you transferred data from the old pc to the new one, it's possible you copied over the infection. if the machine comes up clean after running combofix, then a second possibility is the virus copied the SMTP credentials and is sending via your wife's SMTP account (email account) directly. In that case, changing the password would lock them back out... but it's still very unlikely they are "spoofing" her email address. – SnakeDoc – 2015-12-04T21:29:11.207

@SnakeDoc - I think this approach is actually exceedingly rare; the ISP would block your Internet connection from sending emails in no time if they saw this amount of spam coming from there. It's also easy to verify: ask somebody who received this spam to send you a copy of the SMTP headers, and see where the email really came from – Kevin Keane – 2015-12-05T21:28:42.793

3It's as simple as checking on the server logs if they were sent through it or not. Moreover, the bounces will include the headers of the received mails (in addition of the ones received by the husband), so it's not even needed to ask a third party. – Ángel – 2015-12-05T21:46:18.523

@KevinKeane I'm not saying the PC is sending raw emails directly to recipients - you are correct, that would get blocked rather quickly at any volume. Instead, what is common is for the virus to send emails via thunderbird/outlook (which would route through the configured SMTP server), or steal the credentials for the SMTP account and send emails directly through that SMTP server (this could involve sending the stolen credentials back to a C&C server). Neither possibility counts as spoofing (which is worth pointing out spoofing joe random is rare, spoofing a bank, etc. would be more common). – SnakeDoc – 2015-12-07T18:16:02.507

@SnakeDoc the server will only see an incoming SMTP connection; it can't (easily) tell whether that came from a virus or from Thunderbird. Rather than trying to figure this out, the server will look for patterns - too many emails in a short period of time, suspicious content, etc. will get you blocked even if the virus hijacks Thunderbird to send the emails. – Kevin Keane – 2015-12-17T05:00:06.767

@KevinKeane The OP is running their own private email server... so normal volume blocking and et al don't necessarily apply. This is still the most likely cause of the OP's problem. Nobody is going to "spoof" the OP's email address, it's simply not worth it. They'd spoof a bank or something. – SnakeDoc – 2015-12-17T15:55:37.860

@SnakeDoc - The OP email is hosted by GoDaddy. It's not quite clear whether that means that GoDaddy runs the email server, or that he runs his own server on a virtual machine hosted by GoDaddy. Either way, though, I doubt that the spam mails even run through that server. – Kevin Keane – 2015-12-25T20:51:11.683

There are two issues here. Your specific question about validating email senders, and what one can do when email is being sent in your name.

Unfortunately it is a simple matter to spoof the From: address in an email, and that's all it takes. While there are ways to set up email so that the sender can be verified (such as the difital signing mentioned in other answers), they are not in general use. If your wife's stolen contacts included a lot of casual connections, onetime clients, mailing lists etc., this is a non-starter: if the recipients find the faked emails a hassle, the last thing they want is to be asked to install special software on their computers.

Which brings us to what she can do. Stolen addresses are widely used as cover by spammers, and most people know to ignore obvious spam that pretends to come from an acquaintance. If that's all that's going on, the solution is clearly for your wife to get a new email, preferably one that is easily distinguishable from the old one; if possible, combine it with spelling her full name differently, e.g., add a middle name or job title. Then notify everyone on her contact list, and stop using the old email but continue to monitor it for incoming messages from people who missed the memo.

Things are more difficult if you believe that someone is specifically targeting your wife, trying to impersonate her, damage her reputation, etc. In that case, a new email will be quickly adopted by the attacker (since your wife will not be keeping it a secret). But that's a bridge you can cross if it should ever come to that (which I consider unlikely).

alexis

Posted 2015-12-04T15:03:26.833

Reputation: 492

If she stops using that address, everyone on the list will still be getting spammed AND she'll lose her primary address, so she'll STOP getting critical email from people who don't know she's using a different address. I don't know that they're targeting my wife, but they keep doing this, and it's starting to piss people off, as they think it's my wife's fault for not putting a stop to this, and we keep trying to explain that there's nothing we can do, but I think they don't believe us. – Joshua Frank – 2015-12-04T21:13:53.563

2She won't stop getting anything. As I said, she should continue monitoring incoming messages but send email from a new address. And she should email everyone to tell them the compromised address is obsolete-- then they can direct emails from that address straight to their spam folder, if they want. – alexis – 2015-12-04T21:17:05.390

As Freeman said...let all regular email correspondents know that all future email from her will have the phrase he mentioned or something similar.

A few of my most regular contacts know that if they want me to open their messages they have to say something in the email that no spammer would ever know, for example "Yes, Dennis this is really ______ and your dog's name is ______" I say something similar to them. Is this a hassle? Perhaps it is more of a minor annoyance.

Now if everyone would adopt SPF that would be a huge help.

Dennis H Wilson

Posted 2015-12-04T15:03:26.833

Reputation: 21

The problem isn't that the recipients are fooled by the email (the contents of which is an obvious spam link), it's that they receive dozens of copies of it. Having a passphrase would allow sophisticated users to create a filter that blocks the spam, but most people won't do that, and so they'll keep receiving it and being annoyed. – Joshua Frank – 2015-12-04T19:13:31.547

1This solution also doesn't help with the "Mail Delivery Failed" blowback problem. – Anthony Geoghegan – 2015-12-04T22:32:59.653

Just in case you think SPF is the solution: most (if not all) SPF implementations are not enough to stop spamming, nor to stop fake senders. Like it would not stop a spammer from using the SMTP command mail from: <whatever@spammer-spf-controlled-domain.com> followed by the header From: Someone Else <someone-else@example.com>, the latter being the address that will be visible in the email client. (Also, recipients might be surprised by some emails not being delivered if they set up email forwarding; my provider promotes NOT using SPF...) – Arjan – 2015-12-06T14:10:37.383

It might not be ideal, but If I were you I'd shut down my account and start a new one. Telling everyone my new address and to blacklist the old.

Haiiro

Posted 2015-12-04T15:03:26.833

Reputation: 11

Yes its not ideal to shutdown an email all of a sudden – pun – 2015-12-07T16:08:01.540