A friend of mine recently found himself in this situation, as he began to receive a deluge of “bounced” spam email–spam messages that seemed to have been sent from his email account to invalid email addresses and then returned to the supposed sender. But the email address in question is for an account that my friend rarely uses, and he did not knowingly use it to send any spammy email to anyone.
Initially he conjectured that spammers had somehow hijacked the email account. But even after he reset the email account’s password, the bounce messages continued to flow in.
Why was this happening? Were the messages really coming from my friend’s email address, or were their actual senders just using his email address as a spoofed return address in the email headers? What could he do to stop the annoying activity? Was his only option to obliterate the email account and start over with an untouched one?
Compromised or Spoofed?
Spammers spoof mail headers in email messages to fool spam filters into letting the message through. The tactic can also increase the spam message’s seeming legitimacy: You’re more likely to open email that purports to come from a person or a company you know than email that comes from a total stranger.
According to Will Irace, director of threat research and services at Fidelis Security Systems, spoofed email headers are quite common. In the case of my friend, Irace says, “If he’s sure he’s changed his password, then it’s most likely as he suspects: the spammer is forging (‘spoofing’) his address and not actually sending the bouncing e-mails from his account.”
Melissa Siems, senior director of product and solutions marketing for McAfee Cloud & Content Security adds: “Most accounts are more likely to be spoofed than compromised, particularly if the owner isn’t using the account. If the account is in use, then it could have been compromised by malware or a phishing attack or even something more subvert like a root kit attack.”
Resolving a Spoofed Email Account
If you can see in the headers the IP address for the computer that sent the spam, you may be able to determine where the messages came from. You can then contact that PC’s Internet service provider and have that IP address blocked. In the short term, that may stop the email spoofing and the bounced messages; but overall it’s a bit of a fool’s errand. The ISP may not help you; and even if it does, there’s nothing to stop the spammer from simply spoofing your email account from a compromised PC that has a different IP address.
If you don’t normally use the email account in question, the most sensible tactic is to delete the account and start anew. Of course, for business email accounts and for primary personal email accounts that you’ve used for years, you may decide that jettisoning the account isn’t an acceptable option.
Avoiding Spoofed Email Accounts
Nevertheless, Siems says that adopting some commonsense security practices can reduce your email account’s exposure. For instance, she suggests, use your primary email account to communicate only with people you know and trust. If one of those contacts gets infected or compromised, attackers may still harvest and use your email address, but the risk should be much lower.
Also, when sharing an email address with a website or posting information in a public online forum, use a throwaway email account, such as one from Gmail or Hotmail, that you won’t mind deleting later on.
These steps amount to hazard mitigation, though. There’s simply no fool-proof way to prevent spammers from using your email address in spoofed message headers on spam email.