Save Yourself From “Yourself”: Stop Spam From Your Own Address
We have recently seen a significant increase in occurrences where users are getting Spam email messages that appear to come from their own address (i.e. “firstname.lastname@example.org” gets a Spam email addressed from “email@example.com”). We discussed this issue tangentially in a previous posting: Bounce Back & BackScatter Spam – “Who Stole My Email Address”? However, many users wonder how this is possible, while others are concerned that their Spam filters are not catching these messages.
How can Spammers use your email address to send Spam?
The way that email works on the Internet, there is very little validation performed on the apparent “Sender” of an email address. Just as you could mail a letter at the post office with any return address on it, a Spammer can compose and send an email address with any “From” email address. This is very easy to do, and Spammers use this facility with almost every message that they send.
So, while you do own your domain name and can lock down the accounts you are using to send and receive email, there is no way to prevent someone else from sending an email message that purports to be from you or some address at your domain. The best you can do is to use SPF and/or DKIM or PGP or S/MIME digital signatures to allow your recipients to verify the messages if they want to (though most recipients may not know how to use these technologies).
Why do Spammers send you Spam that appears to be from you?
Sending email to you that appears to be from you is an increasingly popular Spamming trick. As spam filters get more and more complicated, people have taken to adding their own email addresses and/or the their domain names to their spam filtering allow lists. The intention is to ensure that no email from other people in their domain (or that they send to themselves) is ever caught in the spam filter by mistake — because no one in their domain is sending spam, right?
The problem is that as soon as you add your own email address or domain name to your spam filtering allow list, all email from these addresses will sail through your spam filters (as requested). This includes all Spam email where the sender address is forged to be from you. It is not really from you, but the only thing that the Spam filter’s allow lists care about is whether the From address is on your allow list or not.
So, users who see that their spam filters are being ineffective against email that appears to be “from themselves” probably have their email address on their own allow list and thus have exempted all of that email from filtering.
What is the alternative to having yourself on your allow list?
Of course, most people do not want to take their domain or address off of their allow list for the very reason they put it there in the first place … they don’t want to risk having their internal email caught in the filters. So, what can they do that will meet this need and still allow the forged messages to be filtered?
The best thing to do is to add the Internet addresses (IP addresses) of any servers from which you send email (i.e. SMTP servers and WebMail servers) to your allow list instead (if your spam filter allow list supports this — LuxSci’s Premium email filtering does, but its basic filtering does not). This way, messages sent from the servers that you and your fellow users actually use for sending messages will be allowed (and thus you will not lose internal email); however, messages sent from other servers (even if those messages appear to be “from you”) will be subject to the normal filtering process. This will stop most of the forged spam for good.
So, what do we recommend?
- Use Premium Email Filtering with SPF-protected Allow Lists to stop this kind of spam completely.
- Make sure you have robust, reliable spam filtering software, and make sure that it’s enabled.
- Make sure that any catch-all email aliases are turned off.
- Make sure that your email address and your domain name are NOT on your own allow or white list(s).
- Make sure that, if you are using your address book as a source of addresses to allow, that your own address is NOT in there (or else don’t white list your address book).
- Add the Internet IP address(es) of the servers from which you do send email to your allow list, if possible. Contact your email provider for assistance in obtaining this list and updating your filters with it.
- Add SPF to your domain’s DNS.
- Use DKIM
- Better Forged Email Filtering with Improved SPF Support
- Bounce Back & BackScatter Spam – “Who Stole My Email Address”?
- Sender Policy Framework (SPF) added to Email Defense
- DKIM: Fight Spam and Forged Email by Signing your Messages
- Graymail “Spam”: What it is and how to get rid of it!