LuxSciLuxSci
Secure Email,
Web and Form Solutions
Phone: 800-441-6612
sales@luxsci.com
support@luxsci.com

Save Yourself From “Yourself”: Stop Spam From Your Own Address

Spam EmailIt is surprisingly comment for users to receive Spam email messages that appear to come from their own address (i.e. “joe@domain.com” gets a Spam email addressed so it appears to be from “joe@domain.com”).  We discussed this issue tangentially in a previous posting: Bounce Back & BackScatter Spam – “Who Stole My Email Address”?  However, many users wonder how this is even possible, while others are concerned if their Spam filters are not catching these messages.

How can Spammers use your email address to send Spam?

The way that email works at a fundamental level, there is very little validation performed on the apparent “Sender” of an email.  Just as you could mail a letter at the post office and write any return address on it, a Spammer can compose and send an email address with any “From” email address and name.  This is in fact very easy to do, and Spammers use this facility with almost every message that they send.

So, while you do own your domain name and can lock down the accounts you are using to send and receive email, there is no way to prevent someone else from sending an email message that purports to be from you or some address at your domain.  The best you can do is to use SPF and/or DKIM or PGP or S/MIME digital signatures to allow your recipients to verify the messages if they want to (though most recipients may not know how to use these technologies).  E.g. with SPF and/or DKIM, recipients (including yourself) can use Spam Filters to determine that these messages were not authorized and can thus discard them as fraudulent.

Why do Spammers send you Spam that appears to be from you?

Sending email to you that appears to be from you is an increasingly popular Spamming trick.  As spam filters get more and more complicated, people have taken to adding their own email addresses and/or the their domain names to their spam filtering allow lists.  The intention is to ensure that no email from other people in their organization (or that they send to themselves) is ever caught in the spam filter by mistake — because no one in their domain is sending spam, right?

The problem is that as soon as you add your own email address or domain name to your spam filtering allow list, all email from these addresses will sail through your spam filters (as requested).  This includes all Spam email where the sender address is forged to appear to be from you.  It is not really from you, but the only thing that the Spam filter’s allow lists care about is whether the From address is on your allow list or not.

So, users who see that their spam filters are being ineffective against email that appears to be “from themselves” probably have their email address or domain name on their own allow list and thus have exempted all of that email from filtering.

What are the alternatives to having yourself on your allow list?

Of course, most people do not want to take their domain or address off of their allow list for the very reason they put it there in the first place … they don’t want to risk having their internal email caught in the filters.  So, what can they do that will meet this requirement and still allow the forged messages to be filtered?

The best thing to do is to add only the Internet addresses (IP addresses) of any servers from which you send email (e.g. SMTP servers and WebMail servers) to your allow list instead (if your spam filter allow list supports this — LuxSci’s Premium email filtering does, but its basic filtering does not).  This way, messages sent from the servers that you and your coworkers actually use for sending email will be allowed (and thus you will not lose internal email); however, messages sent from other servers (even if those messages appear to be “from you”) will be subject to the normal filtering process.  This will stop most of the forged spam for good, especially if you add DKIM and SPF to further assist your Spam filter in identifying fraudulent messages.

So, what do we recommend?

  1. Use Premium Email Filtering with SPF-protected Allow Lists to stop this kind of spam completely.
  2. Make sure you have robust, reliable spam filtering software, and make sure that it’s enabled.
  3. Make sure that any catch-all email aliases are turned off (the ones that accept all email to unknown/undefined addresses in your domain and deliver them to you anyway — these are giant spam traps).
  4. Make sure that your email address and your domain name are NOT on your own allow or white list(s).
  5. Make sure that, if you are using your address book as a source of addresses to allow, that your own address is NOT in there (or else don’t white list your address book).
  6. Add the Internet IP address(es) of the servers from which you do send email to your allow list, if possible.  Contact your email provider for assistance in obtaining this list and updating your filters with it.
  7. Add SPF to your domain’s DNS.
  8. Use DKIM

2 Responses to “Save Yourself From “Yourself”: Stop Spam From Your Own Address”

  1. Protecting Yourself from “Web Bugs” in Your Email | LuxSci FYI Says:

    [...] me” lists, you may find yourself the target of increasing amounts of spam — even spam appearing to come from yourself or backscatter spam where your address was used to send spam to others.  If this is the case, you [...]

  2. Tracing the Origin of an Email Message -- and Hiding it | LuxSci FYI Says:

    [...] First, we see that this is a Spam message where the sender has forged the message so that the apparent “from” address matches the “to” address — to attempt to get around our spam filters.  For more on this technique, see Save Yourself From “Yourself”: Stop Spam From Your Own Address. [...]

Leave a Comment

You must be logged in to post a comment.

TRUSTe EU Safe Harbor Thawte Extended Validation SSL Certificate McAfee Secure Authorize.net Merchant
• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 BlackBerry
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries