recently there’re more and more reports and complaints similar to this:

I have been receiving bounced back messages from email addresses I never sent to. When I look at the bounced back message, it mentions failed delivery of emails I didn’t send in the first place.

And the bounced back message says the original email was sent from my domain:

somebullshitnamehere[at]xxxxx.com

xxxxx.com being my domain name. That’s why I received the bounced back.

The original messages are pure spam.

Looks like someone is using my domain/email address to send out spam emails? How can I stop it?

the bad news is, you can do nothing about it. neither can we do anything. in fact, nobody can stop that, except the spammers themselves.

the good news is, the spams were NOT sent from your domain/email account, therefore you do not need to worry.

then why the spam emails look like from your domain and why you receive those bounces?

simply put, spammers forged the email header data. yes spammers can forge, or spoof, email header to make the email look like from your domain while actually it’s not.

i would not go into details on how to forge email header, for obvious reason :-), just let you know that email header forgery is very easy. i could easily send an email that looks like from bill.gates@microsoft.com, while of course i do not have access to bill.gates@microsoft.com email address. the best part is, Bill Gates has no way to stop me doing this.

most email client software allow you to view full email header.

in Outlook Express, right-click on the email, select “properties”, a new window would pop up, click on “details” tab, then you will see the full header data, which should include these typical fields:

From: who the message is from. this is the easiest to forge. email client shows this field as sender.

Reply-To: the address to which reply should be sent. often absent from the message as it is the same as Form: field most of the time. easily forgeable as well.

Return-Path: the email address for return mail. same as Reply-To:.

Message-ID: a unique string assigned by the mail system when the message is first created. also forgeable in most cases, but requires a little more knowledge.

Received: these are the most reliable lines in the header. they form a list of all nodes through which the message have to travel in order to reach destination. they are unforgeable after the point where it was injected. but up to that point, they may be forgeries.

Received: lines are read from bottom to top, the last non-forged Received: line is where the mail originated.

below is such a bounced back message i just received 5 minutes ago, which includes the header of original spam email:

Hi. This is the qmail-send program at mail.strathcom.com.
I’m afraid I wasn’t able to deliver your message to the following addresses.
This is a permanent error; I’ve given up. Sorry it didn’t work out.

<dewhcgme@kingswaylexustoyota.com>:
Sorry, no mailbox here by that name. (#5.1.1)

— Below this line is a copy of the message.

Return-Path: <ubkpng@singaporewebhosting.com>
Received: (qmail 1194 invoked from network); 22 Feb 2007 18:18:15 -0000
Received: from 80.192.76.241 by mail.strathcom.com (envelope-from <ubkpng@singaporewebhosting.com>, uid 502) with qmail-scanner-2.01
(clamdscan: 0.88.5/2081.
Clear:RC:0(80.192.76.241):.
Processed in 0.05686 secs); 22 Feb 2007 18:18:15 -0000
Received: from unknown (HELO 80-192-76-241.cable.ubr13.edin.blueyonder.co.uk) (80.192.76.241)
by mail.strathcom.com with SMTP; 22 Feb 2007 18:18:12 -0000
Received: (qmail 18642 invoked from network); Thu, 22 Feb 2007 18:18:20 +0000
Received: from unknown (HELO tawfij) (124.193.41.128)
by 80-192-76-241.cable.ubr13.edin.blueyonder.co.uk with SMTP; Thu, 22 Feb 2007 18:18:20 +0000
Message-ID: <45DDDE6C.7000802@singaporewebhosting.com>
Date: Thu, 22 Feb 2007 18:18:20 +0000
From: Matty <ubkpng@singaporewebhosting.com>
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: dewhcgme@kingswaylexustoyota.com
Subject: secession mantel

so, the From: and Return-Path: fields are forged. a spammer, pretending to be Matty using ubkpng@singaporewebhosting.com, sent an spam email to dewhcgme@kingswaylexustoyota.com.

domain kingswaylexustoyota.com is hosted by strathcom.com:

Received: (qmail 1194 invoked from network); 22 Feb 2007 18:18:15 -0000
Received: from 80.192.76.241 by mail.strathcom.com

at least these two lines are real. a server at strathcom.com received the email and bounced it back as dewhcgme@kingswaylexustoyota.com does not exist.

there’re a few other Received: lines, none of which has anything to do with our domain or IP address.

this line is interesting:

Received: from unknown (HELO tawfij) (124.193.41.128)

IP 124.193.41.128 may reveal where the spamer is.

Message-ID: is also forged/fake.

we do not have a Matty here and ubkpng@singaporewebhosting.com does not exist. since we enabled catch-all account, we received the bounced back message sent to ubkpng@singaporewebhosting.com.

spammers are bad and they lie…