Save Yourself From “Yourself”: Stop Spam From Your Own Address

September 22nd, 2017

I just got junk email … from me!

It is surprisingly common for users to receive Spam email messages that appear to come from their own address (i.e. “joe@domain.com” gets a Spam email addressed so it appears to be from “joe@domain.com”).  We discussed this issue tangentially in a previous posting: Bounce Back & BackScatter Spam – “Who Stole My Email Address”?  However, many users wonder how this is even possible, while others are concerned if their Spam filters are not catching these messages.

How can Spammers use your email address to send Spam?

The way that email works at a fundamental level, there is very little validation performed on the apparent identity of the “Sender” of an email.  Just as you could mail a letter at the post office and write any return address on it, a Spammer can compose and send an email address with any “From” email address and name.  This is in fact extremely easy to do, and Spammers use this facility with almost every message that they send.

So, while you do own your domain name and can lock down the accounts you are using to send and receive email, there is no way to prevent someone else from sending an email message that purports to be from you or some address at your domain.  The best you can do is to use SPF and/or DKIM, technologies that build on these such as DMARC and ARC, or PGP or S/MIME digital signatures to allow your recipients to verify the messages if they want to (though most recipients may not know how to use these technologies).  E.g. with SPF, DKIM, DMARC, and ARC, recipients (including yourself) can use Spam Filters to determine that these messages were not authorized and can thus discard them as fraudulent.

Why do Spammers send you Spam that appears to be from you?

Sending email to you that appears to be from you is an increasingly popular Spamming trick.  As spam filters get more and more complicated, people have taken to adding their own email addresses and/or the their domain names to their spam filtering allow lists.  The intention is to ensure that no email from other people in their organization (or that they send to themselves) is ever caught in the spam filter by mistake — because no one in their domain is sending spam, right?

The problem is that as soon as you add your own email address or domain name to your spam filtering allow list, all email from these addresses will sail through your spam filters (as requested).  This includes all Spam email where the sender address is forged to appear to be from you.  It is not really from you, but the only thing that the Spam filter’s allow lists care about is whether the From address is on your allow list or not.

So, users who see that their spam filters are being ineffective against email that appears to be “from themselves” probably have their email address or domain name on their own allow list and thus have exempted all of that email from filtering.

What are the alternatives to having yourself on your allow list?

Of course, most people do not want to take their domain or address off of their allow list for the very reason they put it there in the first place … they don’t want to risk having their internal email caught in the filters.  So, what can they do that will meet this requirement and still allow the forged messages to be filtered?

The best thing to do is to add only the Internet addresses (IP addresses) of any servers from which you send email (e.g. SMTP servers and WebMail servers) to your allow list instead (if your spam filter allow list supports this).  This way, messages sent from the servers that you and your coworkers actually use for sending email will be allowed (and thus you will not lose internal email); however, messages sent from other servers (even if those messages appear to be “from you”) will be subject to the normal filtering process.  This will stop most of the forged spam for good, especially if you add DKIM and SPF to further assist your Spam filter in identifying fraudulent messages.

But are not DKIM or SPF good enough?

It is true that DKIM and SPF can be used to block email send from servers that are not authorized to send email from your domain; however, not everyone is willing to allow their filters to be so harsh as to block all messages that fail SPF or DKIM tests … as that can happen for many different reasons.  As a result, failed SPF and DKIM checks commonly make a message more spam-like, but do not always force the message to be considered spam.  Contact your filtering provider if you want to update your spam filter so that SPF or DKIM failures will cause the message to be rejected.

So, what do we recommend?

The simplest way to take care of this situation is to:

  1. Use Email Filtering systems that treat SPF and DKIM properly, to stop this kind of spam.
  2. Make sure that any catch-all email aliases are turned off (the ones that accept all email to unknown/undefined addresses in your domain and deliver them to you anyway — these are giant spam traps).
  3. Make sure that your email address and your domain name are NOT on your own Spam Filter allow or white list(s).
  4. Make sure that, if you are using your address book as a source of addresses to allow, that your own address is NOT in there (or else don’t white list your address book).
  5. Add the Internet IP address(es) of the servers from which you do send email to your allow list, if possible.  Contact your email provider for assistance in obtaining this list and updating your filters with it.
  6. Add SPF to your domain’s DNS.   Make it strict (i.e. “-all”)
  7. Use DKIM.  Make it strict (i.e. “dkim=discardable”).  See our DKIM Generator.
  8. Setup DMARC to enable servers to properly handle SPF and DKIM failures.
  9. Consider using Authenticated Received Chain (ARC) once it is available to you.  It will provide further levels of validation to handle problems with SPF and DKIM.

If you want to go further, consider use of technologies such as PGP or S/MIME for cryptographic signing of individual messages and consider “closed” email systems … where only the participants can send messages to each other.

Have a question about email? Ask Erik