Email address hijacking

29 08 2007

I get the occasional hijacking of my domain name with some fake string in front of it and most of the auto responses from the spam filters come back to *my* Spam Quarantine folder. After being a bit paranoid about my system being compromised, I was told by a system administrator that it wasn’t me, it was someone/machine out there in the wild who thought my domain name would be a good one to attach ‘xcsewagtsyqhgv’ to and send off messages about body part enhancements for body parts I don’t even have. <sigh>

I’ve now learned to live with it and just delete those messages, and I no longer get paranoid.

However, others do, as evidenced by a discussion thread this past week on the Lone Writers list. Probably one of the clearest explanations of this was posted today by Lou Quillio. With his permission, here’s his response to the person whose Gmail account appeared to have been hijacked:


In general there’s (almost certainly) not a problem, so you don’t need a solution. You just need information.

The phenomenon you describe is called “backscatter” or “outscatter”. It’s caused by mailer-daemons (you might say “email servers”) sending auto-responses when they identify spam. Spam is also called UBE, or unsolicited bulk email.

Here’s what happens:

A piece of spam is sent — to someone you don’t even know — with one of your email addresses as the ‘From:’ address. That *doesn’t** mean it was sent through your account or someone has stolen your login credentials. The ‘From:’ header in an email message is an arbitrary string, chosen by the sender. It isn’t authoritative in the slightest.

The piece of spam is received by the addressee’s mailer-daemon (pronounced “demon”), it’s identified as UBE, and blocked. The addressee never sees it.

Now the mailer-daemon has a decision to make. The matter can end there. Or, the mailer-daemon _could_ send an automated message to the ‘From:’ address, warning about possible UBE. That’s backscatter.

How useful are these auto-responses? Not very. Any knowledgeable sysop is aware that the ‘From:’ address is probably not the real sender.

But many send them anyway, and word them jarringly: “Considered Unsolicited Bulk Email FROM YOU”, etc. Uhh-huh. Why assume that, bub? Are you living in some innocent 1999 time warp?

Anyhow, this auto-response arrives at your GMail account and guess what? GMail marks it as spam. Because it is. Backscatter is spam. It’s unsolicited by you, the recipient, and sent in bulk.

Still with me? Spam sent + auto-response to somebody there’s no reason to assume sent it = more spam. Backscatter spam.

So there’s no _technical_ problem, just a network effect. Is there a _social_ problem? That, too, depends on how much information you and your peeps have, how well you understand what’s happening.

First concern: the spam sent under your name to Aunt Edna (or more likely to an utter stranger). What will Edna think of me?! Nothing. She didn’t even get it. Her mailserver blocked it. That’s why you got the auto-response.

Second concern: whomever (or whatever) warned you about sending spam apparently thinks you’re a bad girl. You don’t want _anybody_ thinking that. Relax. It was a machine, a rather dumb one.

Here are the take-aways:

  1. Never trust a ‘From:’ address alone. You can’t. You never could. So forget that.
  2. Ignore backscatter if you use GMail, Yahoo! Mail, or one of the other big services. If there’s a problem, it’s theirs. And there’s probably not a problem.
  3. Ignore backscatter if you *know* your desktop email client isn’t compromised. Past experience has made Windows users paranoid. Updated Windows installs aren’t nearly as vulnerable. It remains a best practice *not* to use Internet Explorer nor Outlook Express. They were the egregious point of failure– and, however improved, are vulnerable by design and ubiquity.
  4. Don’t fly into a tizzy and start spamming your peeps and your lists in shame. Windows trained this into you. You’ll have to train yourself out, and the first step to recovery is staying calm.
  5. Never, ever retrieve or send email over an insecure connection. GMail won’t let you, cuz Google’s not dumb. Whenever you’re setting-up an account, connect with SSL/TLS. POP3, IMAP, SMTP … no matter. Always choose the SSL option and avoid providers who don’t offer one. Your email account’s username and password can’t be filched if they’re never sent over an insecure wire.
  6. Send plain text email, and read messages as plain text regardless how they were sent. Why did the the Trojans admit the horse? Because it was fancy. You don’t need fancy. You’re a writer, not a formatter, and it’s your words that matter.

All that stuff about firewalls and virus scanners and changing passwords all the time … yeah, sure, that’s fine. But none of it’s related to your recent fear — which concerns a network effect and is cured with knowledge.


Thanks Lou!



2 responses

19 01 2009

I like your explanation. Thanks
I have a similar problem except these guys are using my email address to send out spam and now my email are blocked by many servers. They get the email address my website.

Any suggestions

15 05 2011

Thanks for that, that makes sense all the way up to how did whatever which sent the emails using your address know your Aunt Edna’s address????? Your account and address book must have been hacked. I can see that your description makes sense for emails sent to unknown people, but those in your contacts file????

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: