Forged Spam Is Becoming A Plague

This information can be freely reproduced in any medium, as long as the information is unmodified.

Starting in March 2003, the U-M Virus Busters team noticed that many people have sent copies of suspicious email to us, thinking that these emails might have been sent out by computer viruses. In fact, there is no virus involved; these people are the victims, so to speak, of forged spam.

First, an important fact:

If your name is forged as the sender of the spam, this does not mean that your account has been compromised. The email is not sent from your account; instead, it is sent forged in your name.

Here's what happens, in brief:

1. A spammer gets a list of supposedly valid email addresses

2. Taking a trick from recent viruses, the spammer forges the email from one of these addresses, and probably sends spam to the rest of those email addresses.

   The "main victim" here is the person in whose name the email is forged: their good name is besmirched by the spammer. Of course, the people who receive the spam are victims as well.

3. If an address to which the spam is sent is invalid, email server software will generate a rejection notice (for each such address), saying that the email cannot be delivered to the intended recipient.

4. That rejection message will be sent to the apparent "sender" of the original email -- but the email server software usually isn't clever enough to recognize that the email is forged .... Hence it comes to the person whose email address was forged in Step 2 above.

5. The "forge-ee" gets mysterious copies of bounced emails that s/he didn't send....

Why do spammers do this? I don't know, but I suspect that it is their hope that email from a "real" address is more likely to be read by the recipient than email from a fake name. Perhaps it's to try to defeat email spam filters. Perhaps it's so that bounced email doesn't go directly to postmasters, who would get the accounts cancelled more quickly. Who knows? In any event, of course the spammer isn't going to use his or her real name!!

A few points:

• This original spam -- between spammer and the spammed -- contains information that shows where it originates. With proper analysis -- see e.g., links on our antispam page -- one can complain to the spammer's ISP and probably get the spammer's account cancelled. In particular, the "full email headers" show where the email originated.

• Unfortunately, the email "bounces" generated in Step 3 above do not always contain this full email header information. [That's a pity -- but it does seem that more often than not, email server software does include these data in the rejection message.]

• Moreover, getting the spammer's account cancelled does not necessarily stop the abuse of the victim's email address: The spammer just opens a new account at a different ISP and continues to send the forged emails. :-(

• These spammers forge many addresses. At once. They both forge different email addresses, and also use a single email address to send with multiple names. [In this latter case, for example, email might use the names "Bruce Burrell", "Brad Burrell", and even "Brian Bosworth" all with the same forged from "bpb@umich.edu" address.

  Probably the spammer isn't picking on a particular address with any malice toward that individual, but it sure won't look that way to the victim.

• A thought: if the spammer includes a web address in the email, you might be able to get that web site closed. This will cause considerably more pain and suffering to the spammer than closing a (free and anonymous, probably) email account, so this may yield the biggest bang for your effort. Similar techniques to those discussed in our anti-spam URL above can be used to find the spammer's web service provider.

• Reprise: Note that if your name is forged as the sender of the spam, this does not mean that your account has been compromised. The email is not sent from your account; instead, it is sent forged in your name.

• Until the laws change so that:
  • Spam is outlawed both in the U.S. and world-wide by international treaty and

  • Severe penalties against spammers are both put into the penal code, and aggressively enforced

    [So write to your congresspeople!]

  • or we file class action lawsuits for defamation of character

  • Or, perhaps, all ISPs somehow manage to block all spam before it gets sent, either by clever filtering or authenticated email (for technical details, see the reference section below)

  there's not much you can do about this, other than report the email to the spammer's ISP. Remember, the email probably is entirely external to U-M (or your email provider) so we can't help you ... much though we'd love to eradicate spam!. For example, neither the spammer nor the spammed have U-M accounts. Hence the U (or your ISP) isn't involved with the email in any way .. so it can't be blocked or otherwise prevented on the University email servers (because the original spam never goes through them).

It sucks. But to some degree, that's just the way email is.

It comes as no surprise that both spammers and those who write and distribute viruses and other malware would use the same scumbag techniques. They are a blight upon the planet.

Some References for Controlling Spam

See these URLs:

• CAUCE (leaving our site), The Coalition Against Unsolicited Commercial Email, has information about lobbying against spam.

• A Plan For Spam (leaving our site) offers an interesting technical approach to spam control.

• For a semi-automated way of reporting spam, see SpamCop (leaving our site)

Thanks to folks who have offered input for improving this page -- Will Rhee in particular.

If you want to pass this information along to others, I suggest that you provide a pointer to this URL (http://www.umich.edu/~virus-busters/forged_spam.html) . That way, the information will be most current.
For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

   -BPB