Ask Al: My email address is being used in spam!

Gerald writes, "Help! I need to call the spam police and I don't know where to turn. My email address has been used to SEND spam. I know this only because an email sent under my name was undeliverable, and so the 'undeliverable' email report was sent to me. The subject line or sender's name was 'Free online secrets.' What can I do?"

Gerald, thanks for writing. Unfortunately, there's really not a ton you can do about this. There's no central spam police to report things to, nobody you who'll jump in and chase down those who forge your domain. Well, there is the FTC, but good luck getting this issue onto their radar – their resources are limited to the point that they really are only going after the biggest, baddest couple of bad guys at any given time. (And who's to say that yours is even in the US.)

But, if I were in your shoes, here's what I would be doing.
  1. Make sure there's really something significant going on here. Lots of spam has variable from lines. Some of it purposely tries to look like it's coming "from" you "to" you. It could just be that your copy had you on the from line. That alone wouldn't mean millions of other random joes got mail from you. One bounce back alone wouldn't be a concern. Getting dozens, hundreds, thousands? Then it would be safe to say that this is taking place on a wider scale. If not, I wouldn't bother with the rest of this (except authentication).
  2. Contact your ISP and let them know what's happening. Give them one example of the spam, and explain that you are being “joe jobbed” and that you're not responsible for the mail in any way. You don't condone it, you don't want it. I would do this pro-actively to ensure some over-zealous ISP doesn't take down your site after receiving spam complaints and making the false assumption that you must be up to something nefarious.
  3. After things have calmed down, look up your domain in the SURBL and URIBL "URI" blacklists. If you find that your domain is listed, contact them and ask to be removed, via the process they list on their sites. Like you did with the ISP, explain that you were the victim of a joe job, and that you don't send spam. They will likely remove you. If they don't, any mail you send to any site using SpamAssassin or other filters that check these lists will likely junk your mail if your domain or URL is mentioned in the body of messages.
  4. If you have the money to spare, you can hire lawyers and consultants to track the source of the forgery, figure out who to sue, and sue the offender. I'm happy to recommend someone who can help, but I would warn you that it's going to be expensive, and unlikely to be rewarding. My recommendation would be not to bother.
  5. For the long term: authenticate your mail. We're not quite there yet, but we're moving in the right direction. The big ISPs are just starting to pay attention to email authentication. For example, if you published the right kind of SPF or Sender ID record in DNS, Hotmail would automatically have discarded all of the forged spam attempts aimed at its user base. SPF and Sender ID records are a simple bit of text added to your domain name service record, and don't usually require any sort of additional infrastructure on your part. For more on SPF look here and here. (Regular readers may note that the authentication drum is something that I've been banging on for quite a while now.)
Another important thing to keep in mind is that spammers are constantly cycling through domains to try get around spam filters and blocks. With many millions of domains out there in the world, spammers are probably only going to focus on yours for a short while. The data I've collected seems to support my point: For the 764,813 pieces of spam I've received from March 10th through July 14th, the spammers have used 223,393 different domains in their from addresses. That averages out to 3.4 spams per domain. That suggests that in the long term, the effect is very diffuse and the specific impact against any one email address or domain is generally going to be pretty limited.

I realize it's very annoying, and I wish I had better answers for you. Thankfully, your online reputation isn't likely to be tarnished over this issue, especially not in the longer term.

11 comments:

Anonymous said...

I am not the original person with the question but just wanted to say Thank You for your post, it has helped me a lot!

Semper Fi,

Bob

Libby said...

does it help to report spam if the spammer is using your email address? I get spam from me to me and others in my address book. I removed my address book and send mail to all as bcc. Does this help?

Anonymous said...

Change the password. All this talk about viruses and lawyers, ugh.. I endured 8 incidents of e-mails going out in my name over a 5 week period. I looked up online for an answer numerous times and kept seeing 'little you can do'. I finally called in my too-expensive alpha geek and he had me change my e-mail account password. Just thought I would double back and post the solution wherever I could.

Anonymous said...

Changing your password doesn't necessarily do any good.

My Yahoo mail account has been bombarded with hundreds of non-delivarable messages for Spam sent using my account as the sender.

I've changed my Yahoo password 3 times but it hasn't made any difference.

Al Iverson said...

Well, you're missing the point. Changing the password keeps bad guys OUT of your email account. You don't want them to have access to your address book or be able to respond to emails from your friends, do you?

The fact that spammers can fake email appearing to be from you (getting you some bounces) is a whole different issue. Irritating, but also much less of a security issue. Some goober might be mad at you, thinking you sent him spam, but that's the exception -- spam filters aren't going to blacklist you over that. Most smart mail admins understand that spammers forge from addresses in their spam runs.

help with email address said...

This is an awesome resource. This article helped in a lot in understanding many facts.Thanks a lot for your post!!

Anonymous said...

I have received an undeliverable email, just like Gerald & was a bit worried about it. So I did a Google search & found your post, and I'd just like to say thanks for putting my mind at rest - great site!

Anonymous said...

Thank you.

Anonymous said...

Please, please, please, please HELP!

This is happening to me and many displeased people are sending me vulgar and nasty emails in response to this nonsense.

How do I contact my ISP (Internet Service Provider)?

Al Iverson said...

That's like asking, how do I contact my landlord? I can't answer that for you. You need to figure out who you're paying for internet service and then call them.

Also, change your email password immediately, just in case somebody has access to your email account.

Anonymous said...

happened to me in my Yahoo account. had to separate my Yahoo email from my sbc email (ISP did this for me) Then transfer my save emails and address book to sbc account, because they usually stay with the free account (Yahoo). Then closed Yahoo account. Big pain but no recurrences so far (crosses fingers)