fastmail address "hijacked"

[bluesfan]

Hello Everyone:

I was thinking of sending this issue in a "support ticket" directly to the developers of fastmail but I figured it's better to post it here instead so that everyone can benefit, especially since I 'm sure many of you have encountered this issue as well. I have noticed recently that my fastmail email address has been "hijacked" and used to send spam emails, meaning: someone is sending spam messages from their address to people I don't know but makes it look like the message is being sent from my email address so that the message looks "legitimate". So it's different from "hacking", where someone actually hacks into your account and either sends emails from it, or steals the email addresses of your contacts in your address book. I tend to guard my fastmail account very carefully and I change my password frequently. I understand this is NOT fastmail's fault and that they are probably doing their best to guard our email accounts, however I also need to use my address to contact lots of people all the time so I have no control over what happens to my address if it gets "harvested" in the process and falls in the wrong hands.

So, If the fastmail developers are reading this: could you please tell us what can be done about this issue? Is there a way to stop these spammers from abusing our addresses?? Are you currently working on any solutions to this? I have researched this issue on the internet and couldn't find much, although I did notice that google is working on a feature to tackle this problem on their gmail service (they have something called a "red bar" on their gmail accounts where users can report such problems), so I am wondering if fastmail will do something similar or better? thanks!!

[David]

Greetings bluesfan: it is currently impossible to prevent the forging of a 'from address' - regardless of the email service you use.

Do a forum search for 'joejob' (without the quotes) for more info.

[n5bb]

I agree completely with David. There is unfortunately nothing you or Fastmail can do to prevent this from happening. This is similar to what can happen with physical mail -- the sender can place any return address and signature on a mailing and place it into any mail drop box. See this Wikipedia entry: Joe Job

You can see how this works by trying it yourself -- in the Fastmail Compose screen, click the Edit button adjacent to the From field at the top, and enter your email address for another email service (such as Gmail) in the From field. Then enter exactly the same address in the To field. Add a subject and short message body and send the message. In the destination email service this message should arrive in your Inbox, and there will probably be no indication that it was sent from a different account. Gmail, for example, accepts such messages with no special marking. In some cases, the message might be marked as spam, but this isn't guaranteed.

There is no method of fixing this issue unless there is a major revamping of the way that mail (physical or email) works. For example, if you had to visit a post office and show several forms of photo identification to send a mail item with your name in the return address field, then the recipient could be reasonably assured that you had indeed sent that mail piece. However, this would only work if the complete mail system was secured, and nobody could insert a non-certified piece of mail into the system. The current public email system uses the normal Internet to transfer messages, and there are no well-established ways to prove you are who you purport to be.

Bill

[ChinaLamb]

Not entirely true. While per user authentication is not really ever going to happen, what is happening is that domains are finding ways to do secure authentication among domains. So, Gmail is responsible for the integrity of the user@ portion of the email, and then gmail maintains integrity of the @domain.com portion by using a system of secure transfer of those emails to the domains they are being sent to.

Now, the problem is that the system is not yet universal, but it is hopefully going to cut down on the amount of spam in the far future, but for the near future, well, nothing anyone can do.

Protect your accounts, protect your passwords, etc.

[n5bb]

Quote:

Originally Posted by ChinaLamb

... So, Gmail is responsible for the integrity of the user@ portion of the email, and then gmail maintains integrity of the @domain.com portion by using a system of secure transfer of those emails to the domains they are being sent to. ...

I agree that some things are getting slowly better. But I can send a message to my Gmail account from my Fastmail web account (messagingengine.com SMTP), spoofing a friend's Gmail address in From. At Gmail, the received message looks normal and appears in the Inbox, and the photo of my friend appears as the sender. The Authentication-Results and Received-SPF headers both reported "neutral".

So it doesn't appear to me that Gmail is filtering incoming messages to their customers based on the SMTP matching the From domain, even though it's a gmail.com domain. Do you have some example of how Gmail prevents spoofing on messages arriving at their servers with gmail.com From addresses? I thought they would in the case I mentioned, but I can't see any spoofing detection taking place.

The SPF and other techniques are fine, but in the real world right now spoofing seems to still be widespread. I just got a very good fake message purporting to be from my bank, with a lot of fake headers. But it was obviously (to me) a phishing message, since it was sent to a different email alias than the one I use for that bank, and my name wasn't shown correctly. And it used the common technique of a warning that my account was compromised, and I needed to click a link in the message (or open an attachment) to resolve the issue. We need to all remember to never click a link in a message purporting to be from your bank or some other financial institution. It's easy to forget this simple rule!

Bill

[ChinaLamb]

Well, like I said, it doesn't really work yet. But we have hope.