FutureQuest, Inc. FutureQuest, Inc. FutureQuest, Inc.
Knowledgebase: Spam/Email Filters
Spam sent from my domain?
Posted on 11 January 2004 11:55 PM
Question:

We have been receiving email showing the "FROM" as various ID's such as dance@example.com and entertainment@example.com. They appear to be spam mail (mortgage, refinancing, etc.) but are definitely not something we generated.

Today, we also received two "MAILER-DAEMON" return notices that were identical and listed emails that were unable to be delivered and - again - these were not generated by us. We do not even have these addresses in our address book.

What is this about and how can we stop this unauthorized use of our domain name?

Answer:

Unfortunately, it is trivial for someone with the proper software and/or knowledge to forge the From header in an email message. Most spammers would have software that would make this very easy for them to accomplish. Additionally, virus software authors would also be able to do this easily. It is becoming quite common for spammers to send out email with the From header set to match the recipient's email address. In addition, many innocent bystanders find their domain victimized and used by spammers as the "sender" of a spam email, resulting in all the bounce messages being directed to this innocent third party.

This does not mean that the spammer has access to your account, your mail server, or any of your other data or services.

You will need to examine the full email headers in order to find out where the email was sent from. The Received headers are usually the best indicator of the origin of the email.

For resources on accessing and analyzing email headers, the following tutorials will help, and also provide links to further resources:
Spam/Email Filters
Why does this spam look like I sent it?
How do I determine the source of an email?
How do I report spam?

Unless inspection of the email headers reveals that the emails were actually sent from your account, you most likely will not need to implement any additional security measures.

You may also find the following discussions in the Community Forums to be of interest:
http://www.FutureQuest.net/forums/showthread.php?s=&threadid=12416
http://www.FutureQuest.net/forums/showthread.php?s=&threadid=12302
http://www.FutureQuest.net/forums/showthread.php?s=&threadid=12130

To attempt to put a stop to the unauthorized use of your domain in these emails, you can try researching the origin of the email and reporting it to the appropriate service providers. Unfortunately, the success rate for this type of investigation and reporting is rather low. Many victims in similar situations simply filter, delete, and otherwise ignore these emails.

Hopefully this provides some reassurance.