We’ve been getting a disproportionate amount of SPAM recently from someone hawking Viagra in their return e-mail address. You might imagine our astonishment, then, when we blocked the sender of the e-mail, only to discover that it was us!
Yes, Microsoft Outlook Express reported that we a had successfully blocked firstname.lastname@example.org. How could that be? How could a spammer have sent e-mail to us from our own e-mail address? It took very little Googling to learn some unfortunate truths.
First, using a false e-mail address—also known as spoofing—is no more difficult than writing a note, putting it in an envelope, and writing a different sender’s name in the upper-left-hand corner. The HTML code to accomplish that might look like this: <a href=”mailto:email@example.com”>This is a spoof</a>.
What the recipient will see in the From: field of the e-mail is, “This is a spoof,” but when he clicks on it, he’ll be sending an e-mail reply to us. Of course there’s a little more to it, but spammers are using far more primitive e-mail programs that don’t care who’s in the From:, To:, or Subject: fields anyway.
As far as the messages themselve are concerned, there’s good news and bad news:
The good news is that the message is very likely an isolated incident. That is, the spammer has used your e-mail address only for your message. Spammers have a very long list of e-mail addresses, and their spam programs simply go through the list substituting the next recipient for the sender. If that weren’t true, you would have heard from friends, relatives, and colleagues asking why you keep sending them e-mail extolling the benefits of Viagra.
The bad news is that there is very little you can do to stop this. It’s certainly a good idea to be proactive and notify your Internet Service Provider that it’s been happening. They could flag your incoming e-mail for closer examination and investigate any further spoofing more closely from their end.
If you hate spam as much as we do, you might investigate a third-party service like SpamCop. Or if you’re feeling particularly geeky, you can create a message filter that says, “If From:=me@myemail_address AND To:=me@myemail_address, move this message to my trash folder.”
This will catch the most basic stuff, and it leaves it in your trash folder (rather than deleting it) so you can look to see that something legitimate hasn’t slipped through. Also, on those few occasions when you need to send yourself an e-mail from your own desk (which is a legitimate reason to have your e-mail address in the From: and To: fields), you’ll still be able to pick it up in your trash folder.
Alas, I fear that SPAM and spammers will be with us for a long time to come until we can implement better sender authentication. Actually, HotMail—which had been a spammers’ paradise—is on the cutting edge of authentication technology and doing very well at it.
But until then, I can only dream that spammers will be caught and punished—not by spending time in jail—but by living out their days looping continuously through TSA checkpoints for as long as it takes to satisfy an angry public.