Spam from your own address

[Geir]

Many users have discovered spam appearing to have been sent from their own address. This does not mean that anyone is using your account without your consent -- it is simply a consequence of the way the email system was designed, which lets anyone send email "from" any address. It's comparable to putting a random return address on an envelope, as it is very difficult to verify who actually sent the email/letter.

This type of email falsification is perpetrated by spammers to make the sender address of spam to appear legitimate, and to avoid receiving the error messages that are generated by non-existent recipient addresses (spammers tend to send large amounts of messages to more or less random addresses).

Additionally, spammers exploit the fact that many email users have whitelisted their own address, which means that spam being sent "from" their own address will categorically be perceived as legitimate email by their spam filter, thus being delivered to their Inbox.

We therefore recommend that you do not include your own address in the whitelist (in the Filter section) or in the Contacts section (which is automatically whitelisted).

Please see our Anti-spam Info page for more information about spam and how to prevent it.

- Geir

[nanook]

Geir -
Thanks for the generic info in your post, however, this information is inadequate for resolving the issue. I do understand that spoofing the sender address is a huge problem and that ISPs do not have full control over this until the Anti-Spam Technical Alliance finishes developing standards for sender authentication, and until ISPs are willing to adopt them, which result in loss of anonymity for users.

Among other problems, this situation of spoofing causes a legitimate sender address to end up in many other spam filters, some at an ISP level. I note that some ISPs are blocking Runbox domain entirely. I've only dealt with one ISP who did this directly and which resulted in 'blocked' message indications to me (and it turned out to be an error on their part with IP address range provisioning in their servers), but I've noticed that when I try to sign up on some forums, I will receive a message that the Runbox email domain is blocked. This leads me to believe that the domain is blocked by some ISPs. And in some cases when I send messages to friends, they simply never receive the messages - although this can be due to filtering at their email client as well as direct ISP filtering.

One of the actions that might help, if only with messages that Runbox users get which appear to come from themselves, is for some filtering script which compares the 'from' field with the 'Received from' field. If these fields do not agree, the message should be filtered. I understand that sophisticated spammers will often forge even the 'Received from' field to further cover their tracks, but at the least, lack of agreement in these two fields is something that can be noted or filtered.

As an example, see the following header of a message I received today. This spammer used my own return address (farwest). The IP address is falsified (nslookup reports no domain exists) and they falsified the text domain, which is a school (Abraham Lincoln.edu) in Colombia, South America. The HTML message itself purported to be from an online Canadian pharmacy, but links embedded in the message indicate that the message came from China, and the links likely would invite a virus or worm attack if used.
-------------
Return-path: <farwest@runbox.com>
Received: from [10.9.9.162] (helo=pepper.runbox.com)
by takara.runbox.com with esmtp (Exim 4.69)
id 1NYexE-00076p-MH
for 'm_hench (@) runbox. com'; Sat, 23 Jan 2010 13:19:04 +0100
Received: from exim by pepper.runbox.com with spamfilter (Exim 4.50)
id 1NYex6-00021U-ID
for 'm_hench (@) runbox. com'; Sat, 23 Jan 2010 13:19:02 +0100
X-Spam-Status: No, score=-88.9 required=4.0 tests=HTML_IMAGE_ONLY_20,
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on bars.runbox.com
X-Spam-Level:
X-Spam-Status: No, score=-88.9 required=4.0 tests=HTML_IMAGE_ONLY_20,
HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,MIME_HTML_ONLY,MISSING_DATE,MISSING_MID,
RDNS_NONE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,USER_IN_WHITELIST
autolearn=disabled version=3.2.5
Received: from [109.96.220.219] (helo=abrahamlincoln.edu.co)
by pepper.runbox.com with smtp (Exim 4.50)
id 1NYex1-0001oD-N0
for 'farwest @ runbox. com'; Sat, 23 Jan 2010 13:18:52 +0100
To: <farwest@runbox.com>
Subject: ALM Works
From: Jean Haas <farwest@runbox.com>
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <E1NYex6-00021U-ID@pepper.runbox.com>
Date: Sat, 23 Jan 2010 13:18:59 +0100
----------------------------

I understand that filter comparison of 'from' and 'Received from' fields, and filtering on that basis, will only affect inbound messages, and won't solve the other problem of ISPs blocking Runbox because of massive amounts of mail with spoofed Runbox sender addresses. Isn't the Open Relay Data Base somehow involved with policing or blocking this? Perhaps that's part of the ASTA issue still to be resolved.

Lastly, I've noticed that login time on this forum expires very quickly. I've had to log back in twice while writing this post. Why?

Sorry if my email protocol ignorance shows. Your comments appreciated.


Moderator: Fixed "live" email address to avoid spambots.

[LinuxRoot]

Most of the spammers use services listed in most DNSBL. Using an email service that utilizes DNS Blacklisting prevents receiving a good amount of spam.

[Liz]

Hi,

As an aside, do you realize you have yourself whitelisted, as Geir mentioned, and thus this message was not labeled spam, despite the otherwise stratospheric spam score..?

I.e. the USER_IN_WHITELIST header.

Please note that having an address listed in your runbox Contacts also whitelists them.

Liz