Someone’s sending from my email address!
How do I stop them?

 

Email spoofing is rampant. Spammers often send email that looks like it came from you. And there’s little that you can do about it.

It is not your fault!

You’re minding your own business and one day, you get email from someone who you’ve never heard of and they’re asking you to stop sending them email. They’re upset and they’re angry. Or worse yet, they accuse you of sending them a virus! You don’t know them, you’ve never heard of them, and you know that you’ve never sent them email.

Welcome to the world of viruses where you can get the blame for someone else’s infection. And there’s worse news to come.

Before I get into that, there’s always a possibility that your email account has been compromised. The solution there is simple: change your password immediately. That should prevent someone who’s using your account for malicious purposes from continuing, as long as you’ve chosen a good password.

But these days, that’s not the most common cause for the situation that I’ve described – viruses are. And what’s worse – there’s almost nothing that you can do.

This type of virus infects someone’s machine and then sends spam, lots of spam, forging the “From:” address for the email that it sends. It uses any address that it can find. That could be other email addresses that it’s sending to, email addresses fed to it by a botnet, or perhaps even the addresses in the address book of the infected computer. The infected computer will send email to everyone that it can, looking as if it was sent by other people, and you could be one of those “other people”, even if you had nothing to do with any of this.

How does this happen?

Let’s use an example: Juli’s machine gets infected with a virus. In her address book are entries for her friends, Aaron and Sally. Aaron and Sally have never met, have never exchanged email, and do not know each other – they each just know Juli. The virus on Juli’s computer will send email with the virus to Sally looking like it came from Aaron. Sally may wonder who the heck this Aaron person is and why he’s sending her a virus, but he was never involved.

If you’re in Aaron’s place, you can see how it would be frustrating to be accused of something that you had nothing to do with and have no control over.

Your email address may end up in the address books of people who you don’t know as well. Some email programs automatically hold on to additional email addresses that were included on email that you received or possibly from an email that was forwarded. Viruses have also been known to use other sources of email addresses or even forward them around as the virus spreads. What that means is that the simple “friend of a friend” example that I used with Juli, Aaron and Sally, while simple and certainly possible, is not the only way that your email could show up as a forged “From” line.

What’s important to understand is, one way or another, email viruses lie about who sent them.

What can you do?

If someone accuses you of sending a spam or virus email and you are absolutely sure that you did not do it, then unfortunately there is nothing you can do except try to educate them about how viruses work. Point them to this article if you like. Make sure you are clear that you are not the one who is infected nor is the person who received the mail claiming to be from you. It’s some third party who is. (And identifying that third party is difficult – this is why virus writers use this technique.)

Track and Block the Location of the Spammer

The first step to take is to find the sender’s IP address (this is sort of like an internet phone number) by examining the header of the email. The header contains identifiers that will lead you to where the sender is located. Most email programs hide this information from you by default because most of the time, you really don’t need to know everything in the header, but it’s easy to find. The header is the email’s history and lets your track everywhere the email went as if you’re tracking a UPS package. If the email actually originated from your account, there’s still a copy in your sent folder. If no copy exists on your end, have one of the people who received your message forward the email back to you. Here’s how you find the header in most common email programs:

  • Gmail: Select the spam message. Click the down arrow next to the reply arrow. Select “Show Original.”
  • Outlook: Double-click to select the spam message and open it in a new window. Click File > Info > Properties. The header is displayed under “Internet Headers.”
  • Yahoo!: Select the spam message. Click “Full Headers” below the email.
  • Apple Mail: Select the spam message. Click View > Message > All Headers.
  • Hotmail: Select the spam message. Click the down arrow next to to the reply arrow. Select “View message source.”
  • Thunderbird: Select the spam message. Click View > Headers > All.

Most other mail programs have a similar method as those above. Once you have the full header, look for the words “Received from” toward the top of the header. From there, you can track the email’s journey through the internet. The top line is the origin of the email and it works its way all the way to your IP address at the bottom of the header. The IP address will look something like: 93.178.70.221.

Now we’re going to figure out where that origin IP address is located. Head over to DNSStuff and enter the IP address from the top of the header into the WHOIS field.

For the above IP address, we find information that this IP is registered to someone named Vladimir Sherstnev in Russia. The search results also mention this is probably a forged IP address, which means someone used it specifically to send out a bunch of spam emails to people. In this case, it means the original location of an email was faked and poor Vladimir was probably not at fault. If you like, you can report this address to the Internet Crime Complaint Center. However, another possible origin address type exists: your own IP address.

Not long ago I received a spam email from my dad. It originated at 209.85.171.XXX, which is owned by Google. This makes sense because his address is a gmail email account. In this case, it means his account was either hacked or spoofed. Hacked means someone got his password and went on a junk-emailing spree. Spoofed means someone is pretending to be him (or you). So, what do we do now? We see which of those two happened.

To check if your account has been hacked you need to look into the recent history on your account. This is going to vary by email provider but here’s how to do it in two of the big ones:

  • Gmail: At the bottom of your inbox, click Details. This will open a pop-up window with the recent IP addresses that have accessed your account (your current IP is listed on the bottom).
  • Yahoo! Click your email address > Edit my account, then “View your recent login activity.”

As far as I can tell, you can’t get this information in Hotmail. If you’re on a private server, most webmail apps show your access history somewhere in the preferences panel.

If you see an IP Address that isn’t one of yours, (don’t forget you can search Google for “IP” to get your current address) then your account and password were probably hacked. Change your password and continue monitoring the logins to your account over the next few days. You should also check your password recovery options to make sure nothing was changed. If the hacker changes the recovery email to their own they can still access your account even after you change the password. You can find these in the Preferences section for most email providers.

You have a few ways to check if your account is being spoofed. First, do the same search as above to make sure nobody is in your account. Next, check your forwarding options. Make sure your email isn’t set to forward anywhere you didn’t set it to. It’s also a good idea to run an antivirus scan on your computer. If you’re using Gmail, look at your authorized sites to ensure no apps have access to your account that aren’t supposed to.

Finally, retrace your steps. Did you click on a phishing link or reply to spam mail? If you did, find that email again. Look at the complete header and track the information the same way you did above. This doesn’t solve the problem, but it does give a face (or an IP address at least) to the culprit. If its particularly irksome or continues to happen, report the address to your email provider and have them investigate the address.

It’s unfortunate that once you track down the IP address of a spammer you don’t have a lot of options for taking action against them, but it is nice to see where it comes from.