« The House: The Housenating | Main | Another tech bleg »

June 27, 2007


Jonathan Lundell

Nothing to worry about, at least no more than usual. Spammers are prepared to put your address in the To: header; why would they feel any compunction about using it in the From: header?

It's unfortunately way too easy for your address to leak out to spammers. Even if you obscure it on the web, it'll be in the address books of your correspondents who get their machines taken over.

If you're getting a significant amount of spam, you'll probably see some messages to the effect that some mail system couldn't deliver a message that you had never sent in the first place. That's a side effect of the same thing--spam was sent From: jholbo To: some other prospect for organ enlargement.

There's another motivation for a spammer to send From: X To: X, and that's that some people whitelist their own address (because they like to cc themselves, or the like).

Finally, if you have access to the Received: headers, compare them to a message legitimately From: you, and you'll (almost) certainly see that the spam came from somewhere else. If it *did* come from your own account, then yes, you have a bigger problem. Unlikely.


It's possible in the same way that it's possible for someone to send you a letter with your name and address written in the area for the return address.

As to why they did it - well, you read it, didn't you?


You probably don't need to worry about it if you're worried about someone reading mail sent to that address. The from address is just an SMTP header value that can be set to anything by the email sender. The spammer is just using his/her own list of addresses as from addresses and you won the lottery to get picked as a sender.

What you might have to worry about (probably not though) is that the spam operation sends out thousands or hundreds of thousands of emails to people using your address in the from header. This could get your address placed on a blacklist and prevent your legitimate email from getting through. This is more of a problem for people like me with their own registered domains. You can get your entire domain blacklisted. That sucks.


What stand says is what is worrying me. Did I really win the lottery? I was guessing that they had some sophisticated bot to send people mail from their own address. Is it likely that thousands of people got spam from my address, and I'm just one of the many? That is disturbing.


Obviously my mail worry is getting blacklisted as a result.

Jonathan Lundell

If a lot of spam is being sent from your address, you should be seeing rejection messages, typically because many of the destination messages in those cases are stale and invalid.

I wouldn't worry too much about blacklisting. Maybe I give them too much credit, but the various black-hole services understand that From addresses are typically forged, and they focus on the Received headers instead, at least some of which get added after the message leaves the spammer, and hence can't be forged by the spammer.


You wouldn't need a very sophisticated bot to send people mail from their own address. In all likelihood, that's what they're doing. Probably because a lot of people email things to themselves as a simple way to move things from one computer to another. So those people's spam filters are already conditioned to think of mail-from-me as not-spam.


7 comments in and no one has made any of the obvious jokes about this situation?


7 comments in and no one has made any of the obvious jokes about this situation?

Does Belle have your e-mail password?

Is it likely that thousands of people got spam from my address, and I'm just one of the many?

I would say not likely, John. Sorry if I unduly worried you. A given spammer has hundreds of thousands (millions?) of addresses. To pick one address from all these as the single from address would pretty quickly draw attention to that address from the various anti-spamming measures in place around the Internet. Spammers that stay in business don't draw this kind of attention.

As I said earlier, things are different if you have your own domain. I have, in effect an infinite number of email addresses because anything@mydomain.com (not my real domain) will make it to my inbox. Once a spammer has figured this out they can start forging from addresses like 123@mydomain.com, abc@mydomain.com, viagra@mydomain.com, etc. This manifests itself as a couple thousand bounce messages per month flowing into my inbox (thanks a lot!)

Eventually, some email administrators out there notice this and start saying, "you know what? mydomain.com sends a lot of spam, let's just reject them all!" Once they do that, and if it's a big operation like mac.com or hotmail.com or whatever, when I try to send a real, non-spam email to someone, it may get rejected. Or sometimes, legitimate email sent to me gets held up. For instance, I got an email from my brother the other day that took, honest to god, a *whole month* to arrive at my inbox. A carrier pigeon could've gotten it to me faster.

Sorry, for the late night ranting. It's a frustrating topic for me.

David Moles

I don't think I've seen my own address, but I have seen the addresses of people I know. My guess is that those were harvested by a virus from somebdoy's Outlook address book, and the spambot (and/or virus) was just recombining the address book entries, figuring you're more likely to open a message from a recognized name. Sending messages to you in your own name might just be another twist on that.


Jeez. I've been having this problem (apparently spamming myself) for a good while now. This morning, though -- in the last hour, I've gotten DOZENS of bounce-back "system administrator" messages from around the world saying that messages I've sent are either undeliverable as addressed, or that I don't have privileges to send to that address, or other variants on "stop spamming us." And this at my university account. I'm quite convinced that no one legitimate will ever be able to get email from me again.

Jeff R.

As I said earlier, things are different if you have your own domain.

I have that problem, too, although it seems to have died down some and I never got thousands of bounce messages. One affirmative thing you can do is set up Sender Policy Framework (http://www.openspf.org/) for your domain. Not every ISP honors it, but at least it's something.

Peter Hollo

It's very easy to send an email "from" anyone's address at all - to prove it, setup an email client, and when it asks for your name and email address just put in someone else's. Then send an email - there you go!

What has probably happened is that among the tactics of this particular spammer is the theory that people trust certain senders better than others, and what better sender than you yourself! And in addition there's the "that's intriguing and a little creepy" factor that will compel you to take a look.

So they've setup their little spam program to use _the_same_address_ for sender and recipient (at least sometimes). Such messages probably have a very slightly higher chance of getting read, and the economies of spamming are such that any tiny likelihoods are worthwhile exploiting.

As explained above, you'd probably notice if a spammer has been using your email address willy-nilly to send out spams. The fact is, there'd be no point, as your email address/name are only going to provide an advantage with certain specific recipients! But remember: no spam mails these days *ever* appear to come from an email address related to the spammer. They're always either completely fake or just some other stolen address (just like yours, the recipient's) - otherwise it would be easy to trace the spammers and arrest their asses.

sex toys canada

nothing to worry about

The comments to this entry are closed.

Email John & Belle

  • he.jpgjholbo-at-mac-dot-com
  • she.jpgbbwaring-at-yahoo-dot-com

Google J&B

J&B Archives

Buy Reason and Persuasion!

S&O @ J&B

  • www.flickr.com
    This is a Flickr badge showing items in a set called Squid and Owl. Make your own badge here.

Reason and Persuasion Illustrations

  • www.flickr.com

J&B Have A Tipjar

  • Search Now:

  • Buy a couple books, we get a couple bucks.
Blog powered by Typepad

J&B Have A Comment Policy

  • This edited version of our comment policy is effective as of May 10, 2006.

    By publishing a comment to this blog you are granting its proprietors, John Holbo and Belle Waring, the right to republish that comment in any way shape or form they see fit.

    Severable from the above, and to the extent permitted by law, you hereby agree to the following as well: by leaving a comment you grant to the proprietors the right to release ALL your comments to this blog under this Creative Commons license (attribution 2.5). This license allows copying, derivative works, and commercial use.

    Severable from the above, and to the extent permitted by law, you are also granting to this blog's proprietors the right to so release any and all comments you may make to any OTHER blog at any time. This is retroactive. By publishing ANY comment to this blog, you thereby grant to the proprietors of this blog the right to release any of your comments (made to any blog, at any time, past, present or future) under the terms of the above CC license.

    Posting a comment constitutes consent to the following choice of law and choice of venue governing any disputes arising under this licensing arrangement: such disputes shall be adjudicated according to Canadian law and in the courts of Singapore.

    If you do NOT agree to these terms, for pete's sake do NOT leave a comment. It's that simple.

  • Confused by our comment policy?

    We're testing a strong CC license as a form of troll repellant. Does that sound strange? Read this thread. (I know, it's long. Keep scrolling. Further. Further. Ah, there.) So basically, we figure trolls will recognize that selling coffee cups and t-shirts is the best revenge, and will keep away. If we're wrong about that, at least someone can still sell the cups and shirts. (Sigh.)