What can be done depends on how much of the infrastructure you have control over, and whether you are using your own domain name or simply have an address under a domain controlled by somebody else.
If you have your own domain, it is easy to switch to a new email address under the same domain. Additionally you can set up DNS records to tell the world that all emails from your domain is supposed to be digitally signed. (SPF, DKIM, and DMARC are the terms to search for if this is the approach you want to take.)
You cannot expect everybody to verify these signatures, so even if you do setup DNS records indicating that email from your domain must be signed, there will still be abusers sending unsigned emails claiming to be from your domain and receivers accepting those unsigned emails.
If you do not control the domain, then changing the email address is not as easy, and you have little influence on whether DNS records are used to limit the ability to spoof the domain in outgoing emails.
The problem with spam messages using a spoofed source address causing bounces coming back to the legitimate address is at least in principle easy to solve.
You can record the Message-ID
of all emails you are sending. All bounces need to include the Message-ID
of the original message somewhere - otherwise the bounce is completely useless anyway, because that is what tells you which message got bounced. Any bounced message which does not contain a Message-ID
you have previously send can be send straight to the spam folder or be rejected at receiving time (which has the nice benefit of pushing the problem one step closer to the source).
Bounces can be told apart from other emails by the MAIL From
address. Bounces always have an empty MAIL From
address, other emails never have an empty MAIL From
address.
So if MAIL From
is empty - and the DATA
does not contain a Message-ID
you previously send, the mail can be safely rejected.
That's the principle. Turning it into practice is a bit harder. First of all the infrastructure for outgoing and incoming emails may be separate, that makes it problematic for the infrastructure for incoming emails to always know about every Message-ID
which has gone through the infrastructure for outgoing emails.
Additionally some providers insist on sending bounces that do not conform with common sense. For example I have seen providers sending bounces containing no information whatsoever about the original email which was bounced. My best recommendation for such useless bounces is to treat them as spam, even if they originate from an otherwise legitimate mail system.
Remember that whoever has obtained the list of email addresses can put any of the addresses as source address and any of the addresses as destination address. Thus unless you have additional information you can't be sure the leak even happened from your own system. It may be any of your contacts who leaked the list of addresses including yours.
The more you can figure out about which addresses are on the leaked list and which are not, the better you will be able to figure where it was leaked from. It might be you have already done this and concluded that the leak must have originated from your contact list since none of your contacts would have known all of the addresses confirmed to have been leaked.
My approach to that is to use my own domain and a separate email address under that domain for each contact I communicate with. I include the date of first communication with the contact in the mail address, such that it could look like kasperd@mdgwh.04.dec.2015.kasperd.net
if I were to write an email to a new contact today. That approach obviously isn't for everybody, but for me it surely helps know exactly who has been leaking a list of email addresses where one of mine is on. It also means I can close the individual addresses such that only the person who leaked my address has to update their contact information for me.
27Yes that's true. – Run CMD – 2015-12-04T15:05:01.550
1short answer, yes, long answer, no but it must be set up in advance, and requires advanced configuration both on the source account, and in the clients of every reciepient. The process involves using encryption and digital signatures to protect and verify the contents, as well as authenticate the sender. Look into Gnu Privacy Guard if you are interested, but it is somewhat advanced stuff, especially to get your reciepients set up. – Frank Thomas – 2015-12-04T15:25:31.933
14I can throw an envelope in the mail that says it's from the President if I want to. Heck, it can say it's from God. Talk to the email administrator for the domain her email address is with. – David Schwartz – 2015-12-04T19:14:29.960
@DavidSchwartz: what should I ask them? I know that you can claim to be God, but is there anything the host can do that would provide any kind of authentication for people making claims like that? – Joshua Frank – 2015-12-04T19:19:36.227
7Your wife has a virus on her computer. It wasn't a "hacker"... this is very common for viruses to access your outlook/thunderbird address book and spam everyone on it. Fix the virus, or it'll keep happening. – SnakeDoc – 2015-12-04T19:39:01.167
4The person being spoofed cannot stop it (unfortunately for you), but the recipients can use some tools to attempt to reduce the amount of spoofed mail they receive. – Todd Wilcox – 2015-12-04T20:10:49.370
1@JoshuaFrank Hard to know without more context. There are things like SPF and DKIM. Talk to them and get competent email administrators working on the problem. They'll have all kinds of information we don't, such as how the domain is currently set up, the headers from the emails, and so on. – David Schwartz – 2015-12-04T20:37:09.007
@SnakeDoc: her machine was dying anyway, so I got her a brand new one, and I think that fixed it. – Joshua Frank – 2015-12-04T21:06:22.907
4When you receive one of those e-mails, check the full headers of the e-mail, and of those, check the "Received:" headers. It will give you an indication of whether the e-mails are actually coming from someone else, or from your wife's computer (due to a virus on that computer). – jcaron – 2015-12-05T10:26:46.970
First of all, I'd suggest to change domain provider. Your's doesn't sound reliable: their server should be able to tell if it actually sent an email or not (and do the right redirection). – algiogia – 2015-12-07T09:56:41.097
Ragnarok it. Archive her e-mail account, create a new one, let people know they should block the old one (as she'll never send another e-mail from it) and start afresh in a new land. – deworde – 2015-12-07T16:34:55.380
@deworde: That will still push the burden of dealing with the problem to a bunch of mostly nontechnical people who won't know what to do, and then we won't even know when it's happening because we won't get the bouncebacks. I'm trying to stop it from happening in the first place. – Joshua Frank – 2015-12-07T17:28:23.947
1@JoshuaFrank Oh, I understand that, but given the existing answers and what I understand of the SMTP protocol, your wife's account simply isn't involved in the process at this point; it's just a line of text in some metadata, that could read "banana@instahack.com" if they thought that would get the work done. Any validation has to be done on the recipient side, and simply blocking an e-mail address is arguably easier than the alternatives. I can tell my grandma how to mark my old e-mail as "always spam", I can't get her to set up DKIM against my domain. – deworde – 2015-12-07T22:26:00.673
@deworde:But these people are mostly at aol.com or gmail.com, and surely those guys can do spoof detection with some accuracy? – Joshua Frank – 2015-12-08T14:11:45.953