Your mother calls you to ask why you keep emailing her about “enhancements,” and your coworkers complain that you won’t stop sending them ads. Does this sound like you?
A friend of mine recently found himself in this situation, as he began to receive a deluge of “bounced” spam email–spam messages that seemed to have been sent from his email account to invalid email addresses and then returned to the supposed sender. But the email address in question is for an account that my friend rarely uses, and he did not knowingly use it to send any spammy email to anyone.
Initially he conjectured that spammers had somehow hijacked the email account. But even after he reset the email account’s password, the bounce messages continued to flow in.
Why was this happening? Were the messages really coming from my friend’s email address, or were their actual senders just using his email address as a spoofed return address in the email headers? What could he do to stop the annoying activity? Was his only option to obliterate the email account and start over with an untouched one?
Compromised or Spoofed?
If you face this situation, your first step should be to determine whether your email account–or your PC itself–is infected or compromised in some way. The most likely culprit is “spoofed” email headers, in which spammers change an email header’s “from” address to make it appear as though the spam originated from your email account, and which in turn causes any bounced email alerts to go to your inbox.
Spammers spoof mail headers in email messages to fool spam filters into letting the message through. The tactic can also increase the spam message’s seeming legitimacy: You’re more likely to open email that purports to come from a person or a company you know than email that comes from a total stranger.
According to Will Irace, director of threat research and services at Fidelis Security Systems, spoofed email headers are quite common. In the case of my friend, Irace says, “If he’s sure he’s changed his password, then it’s most likely as he suspects: the spammer is forging (‘spoofing’) his address and not actually sending the bouncing e-mails from his account.”
Melissa Siems, senior director of product and solutions marketing for McAfee Cloud & Content Security adds: “Most accounts are more likely to be spoofed than compromised, particularly if the owner isn’t using the account. If the account is in use, then it could have been compromised by malware or a phishing attack or even something more subvert like a root kit attack.”
Resolving a Spoofed Email Account
Bounced email alerts sometimes contain details within their message headers that can help identify the messages’ true origin. Most often, they come from PCs infected with a botnet or compromised in some other way, so your chances of tracking down the actual spam purveyor are very slim.
If you can see in the headers the IP address for the computer that sent the spam, you may be able to determine where the messages came from. You can then contact that PC’s Internet service provider and have that IP address blocked. In the short term, that may stop the email spoofing and the bounced messages; but overall it’s a bit of a fool’s errand. The ISP may not help you; and even if it does, there’s nothing to stop the spammer from simply spoofing your email account from a compromised PC that has a different IP address.
If you don’t normally use the email account in question, the most sensible tactic is to delete the account and start anew. Of course, for business email accounts and for primary personal email accounts that you’ve used for years, you may decide that jettisoning the account isn’t an acceptable option.
Avoiding Spoofed Email Accounts
Unfortunately, you can’t do much to stop spoofing once it starts–or to avoid having spammers harvest your email address in the first place. Irace offers some sarcastic advice on how to make your email address harvest-proof: “Don’t do anything interesting [online], and never share your email address with anybody [else].”
Nevertheless, Siems says that adopting some commonsense security practices can reduce your email account’s exposure. For instance, she suggests, use your primary email account to communicate only with people you know and trust. If one of those contacts gets infected or compromised, attackers may still harvest and use your email address, but the risk should be much lower.
Also, when sharing an email address with a website or posting information in a public online forum, use a throwaway email account, such as one from Gmail or Hotmail, that you won’t mind deleting later on.
These steps amount to hazard mitigation, though. There’s simply no fool-proof way to prevent spammers from using your email address in spoofed message headers on spam email.