Ask Al: My email address is being used in spam!

Gerald writes, "Help! I need to call the spam police and I don't know where to turn. My email address has been used to SEND spam. I know this only because an email sent under my name was undeliverable, and so the 'undeliverable' email report was sent to me. The subject line or sender's name was 'Free online secrets.' What can I do?"

Gerald, thanks for writing. Unfortunately, there's really not a ton you can do about this. There's no central spam police to report things to, nobody you who'll jump in and chase down those who forge your domain. Well, there is the FTC, but good luck getting this issue onto their radar – their resources are limited to the point that they really are only going after the biggest, baddest couple of bad guys at any given time. (And who's to say that yours is even in the US.)

But, if I were in your shoes, here's what I would be doing.

1. Make sure there's really something significant going on here. Lots of spam has variable from lines. Some of it purposely tries to look like it's coming "from" you "to" you. It could just be that your copy had you on the from line. That alone wouldn't mean millions of other random joes got mail from you. One bounce back alone wouldn't be a concern. Getting dozens, hundreds, thousands? Then it would be safe to say that this is taking place on a wider scale. If not, I wouldn't bother with the rest of this (except authentication).
2. Contact your ISP and let them know what's happening. Give them one example of the spam, and explain that you are being “joe jobbed” and that you're not responsible for the mail in any way. You don't condone it, you don't want it. I would do this pro-actively to ensure some over-zealous ISP doesn't take down your site after receiving spam complaints and making the false assumption that you must be up to something nefarious.
3. After things have calmed down, look up your domain in the SURBL and URIBL "URI" blacklists. If you find that your domain is listed, contact them and ask to be removed, via the process they list on their sites. Like you did with the ISP, explain that you were the victim of a joe job, and that you don't send spam. They will likely remove you. If they don't, any mail you send to any site using SpamAssassin or other filters that check these lists will likely junk your mail if your domain or URL is mentioned in the body of messages.
4. If you have the money to spare, you can hire lawyers and consultants to track the source of the forgery, figure out who to sue, and sue the offender. I'm happy to recommend someone who can help, but I would warn you that it's going to be expensive, and unlikely to be rewarding. My recommendation would be not to bother.
5. For the long term: authenticate your mail. We're not quite there yet, but we're moving in the right direction. The big ISPs are just starting to pay attention to email authentication. For example, if you published the right kind of SPF or Sender ID record in DNS, Hotmail would automatically have discarded all of the forged spam attempts aimed at its user base. SPF and Sender ID records are a simple bit of text added to your domain name service record, and don't usually require any sort of additional infrastructure on your part. For more on SPF look here and here. (Regular readers may note that the authentication drum is something that I've been banging on for quite a while now.)

Another important thing to keep in mind is that spammers are constantly cycling through domains to try get around spam filters and blocks. With many millions of domains out there in the world, spammers are probably only going to focus on yours for a short while. The data I've collected seems to support my point: For the 764,813 pieces of spam I've received from March 10^th through July 14^th, the spammers have used 223,393 different domains in their from addresses. That averages out to 3.4 spams per domain. That suggests that in the long term, the effect is very diffuse and the specific impact against any one email address or domain is generally going to be pretty limited.

I realize it's very annoying, and I wish I had better answers for you. Thankfully, your online reputation isn't likely to be tarnished over this issue, especially not in the longer term.