Ask Amir: How do spammers send from my email address?

In a previous Security Levity post, I was asked a question that often comes up. A commenter wondered how is it that spammers can send spam from "my" email address? And is that something we should be worried about?

Our anonymous friend asks:

This is probably a neophyte question, but I have always wondered how spammers send spam to my address, using my address as well. I suppose it's not that hard considering I can send myself a message at anytime, but I'm curious as to how the spammers do this.

This is absolutely a frequently-asked question, and not at all "greenhorn" (thanks to my handy thesaurus for that one). To answer it requires an understanding of SMTP -- the standard used for sending email between servers -- which stands for Simple Mail Transfer Protocol. Like many "mature" Internet standards, SMTP was invented back in the days when the Internet was a kinder, gentler place. A time when there was no spam, and the only users of the network were experimental souls, with good karma, who were trusted by all the other users. Yes, there really was such a time! Although SMTP has been enhanced quite a bit since then, many mail servers still operate with an assumption of trust. An evil spammer can pretend to be another mail server, connect to your mail server, and offer up a message that's not only addressed to you, but claims to have come from you as well! It's forgery, plain and simple; and forgery that's made simple by the implicit, blind trust that many mail servers have for each other. In fact, the spammers can send messages that pretend to come from anybody -- that's one of the tricks in the phishers' toolbag, allowing them to forge messages "from" your bank. Not only that, but spammers can send email to your friends and business associates, while pretending to be you. Not good at all.  

How to prevent the problem

The simple answer is that recipients need a spam filter that will detect and filter out those forged messages. (Well, I would say that, wouldn't I?)

There are also Internet standards that help other people's spam filters to detect forgeries of your email address. The main ones are SPF/SenderID and DomainKeys/DKIM. In simple terms, they allow you to publish information that tells a receiving email system whether a message "from" you is likely to be forged or not.

It's a good idea for email senders to support all these standards, to help prevent spammers forging your email addresses. First, your email administrator should publish an accurate SPF record for each domain you own. Second, your email system should sign all your outgoing email with DKIM. Talk to the people running your email system and ask them if they're doing both these things. (If they're not, ask them why and post their excuses below!) For various reasons, the standards aren't 100% foolproof, but they're useful as part of the spam filtering process. I don't have enough space to go into much detail in this post, but if you'd like me to talk in more detail about this in the future, do please write in below.

No discussion of sender forgery would be complete without a mention of backscatter (or "outscatter") -- rogue auto-replies that go to the message's forged sender. As I mentioned in a previous comment reply, that's something I plan to talk about soon.

I want to make this an interactive place: where I can answer questions and cover topics that you suggest. Feel free to add comments and ask Amir!

When he's not masquerading as an FBI agent, Amir Lev is the CTO, President, and co-founder of Commtouch (NASDAQ:CTCH), an e-mail and Web defense technology provider. MORE...

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon