Skip to Content

Spam: Why Is it Coming from Me?

Many people receive spam messages purporting to come from themselves or other persons they know. How does this happen?

Introduction

The standard Internet email protocols were written with the fundamental goal of providing flexible and robust delivery of messages. They were written in an environment where a high degree of trust was reasonable (Academic and Government Research Agencies) and a high degree of flexibility was required. They were not written to meet the security demands of a ubiquitously connected and untrustworthy user population. The flexibility of the protocols and the lack of a mandatory authentication infrastructure makes the protocol very easy to exploit for those who are inclined to do so.

Email Message Headers

Standard email messages[smtp-def][smtp-std] wil contain at least the following headers:

  • Date:
  • To:
  • From:
  • Subject:

All of this information is filled out the by the user's Mail User Agent (a client program such as Mozilla Thunderbird, Microsoft Outlook or Apple Mail) and the server software does not second guess it.

Furthermore, if you are a spammer, you can hire somebody to write a specialized server to gain even more control over the properties of the email as it leaves the computer and there is no need for the sending host to bear any relationship to that indicated by the From: field or any other field.

Analogy with Physical Mail

If I send a package to the President of the United States containing pornographic material with a label on the outside that says Remember that Party? and a return address of George W. Bush, this may provoke a standard snail-mail acknowledgement process that will result in a thank you letter to George W. Bush's place of residence. The FBI may even begin an investigation by contacting the President's predecessor, but they will (one hopes) realize that the labels on the package do not prove that George was the actual sender.

As with snail-mail, email contains additional markings that constitute an incomplete record of delivery. Just as the Toronto post-mark on Barack's pornography would constitute evidence that it was probably not sent by George, the Received records -- which are normally not displayed by a mail client -- will generally permit at least partial tracking toward the genuine sender. If the email was sent via any intermediate spammer-controlled servers, the tracking can be obscured.

Summary

  1. The From address does not determine who sent the mail.
  2. The Subject does not determine the contents of the email.
  3. In the case of email the To address does not determine where it will be delivered.

Comments

I can create and send email to you (or your mother) with arbitrary contents that claims to have been sent by you to an arbitrary third party. That's just the way it works.

Think of the email headers and contents as an ordinary file with a set of hints to the server for where to send the message and how to label its place of origin. The server has full capacity to take your email and send it anywhere, regardless of the labels on the package. Under normal circumstances, a system administrator would not deploy such a server, because it fails to get the email of the user population to its intended destination. If you are a spammer, you will find such non-standard server behaviour to be very useful.

Anyone who has sent email from their home ISP, while claiming to be sending from the Physics Department has used this flexibility in the constructive manner for which it was intended.

Because of the number of home users who do not purchase or consistently and appropriately use anti-virus software and who do not keep their computers updated with appropriate patches, a large but unknown number of machines have become zombie servers in the service of spammers and other internet bottom-feeders. It is quite possible that the number of legitimate email servers has already been eclipsed by the number of rogue servers.