YOUR MOTHER CALLS you to ask why you keep emailing her about “enhancements,” and your coworkers complain that you won’t stop sending them ads. Does this sound like you?
A friend of mine recently found himself on the receiving end of a deluge of “bounced” spam email—junk messages that seemed to have been sent from his email account to invalid email addresses and then returned to the supposed sender. But the email address in question is for an account that my friend rarely uses, and he did not knowingly use it to send any spammy email to anyone.
Initially he suspected that spammers had hijacked his email account somehow. But even after he reset the email account’s password, the bounce messages continued to flow in.
Why was this happening? Were the messages coming from his email address, or were the senders using his email address as a spoofed return address in the email headers? What could he do to stop the activity? Was his only option to obliterate the old email account and start over with an untouched one?
Compromised or Spoofed?
If you face this situation, you should first determine whether your email account—or your PC itself—is infected or compromised in some way. The most likely culprit is spoofed email headers, a tactic in which spammers change the “from” address in an email header to make it appear as though the spam originated from your email account, which in turn causes any bounced-email alerts to go to your inbox.
Spammers spoof email headers to fool spam filters into letting the message through, and to increase the junk message’s seeming legitimacy: People are more likely to open email that purports to come from a person or a company they know than email that comes from a total stranger.
Did someone hijack your email address to mass-mail spam messages? Maybe not. Here’s what might have happened.
According to Will Irace, director of Threat Research and Services at Fidelis Security Systems, spoofed email headers are quite common. In the case of my friend, Irace says, “If he’s sure he’s changed his password, then it’s most likely as he suspects: The spammer is forging (‘spoofing’) his address and not actually sending the bouncing emails from his account.”
Melissa Siems, senior director of product and solutions marketing for McAfee Cloud & Content Security, adds: “Most accounts are more likely to be spoofed than compromised, particularly if the owner isn’t using the account. If the account is in use, then it could have been compromised by malware or a phishing attack or…a rootkit attack.”
Resolving a Spoofed Email Account
Bounced-email alerts sometimes contain details within their message headers that can help identify the messages’ true source. Most often, they come from PCs infected with a bot-net or compromised in some other way, so your chances of tracking down the actual spam purveyor are very slim.
If you can see in the headers the IP address for the computer that sent the spam, you may be able to determine where the messages came from. You can then contact that PC’s Internet service provider and have the IP address blocked. That may temporarily stop the email spoofing and the bounced messages—but it’s a fool’s errand. The ISP may not help you; and even if it does, the spammer can move to a PC with a different IP address and spoof your email account from there.
If you don’t normally use the email account in question, the most sensible tactic is to delete the account and start anew. Of course, for business email accounts and for primary personal email accounts that you’ve used for years, you may decide that jettisoning the account isn’t an acceptable option.
Keeping a Low Email Profile
Unfortunately, you can’t do much to stop spoofing once it starts—or to avoid having spammers harvest your email address in the first place. Irace offers some sarcastic advice on how to make your email address harvest-proof: “Don’t do anything interesting [online], and never share your email address with anybody [else].”
Still, Siems says that adopting some commonsense security practices can reduce your email account’s exposure. For instance, she suggests, use your primary email account to communicate solely with people you know and trust. If one of those contacts gets infected or compromised, attackers may harvest and use your email address anyway, but the risk should be much lower.
Also, when sharing an email address with a website or posting information in a public online forum, use a throwaway account—from Gmail or Hotmail, say—that you won’t mind deleting later on.
These steps amount to hazard mitigation, though. There’s simply no fool-proof way to prevent spammers from using your email address in spoofed message headers on junk email.