Forged Spam

If Tiger Technologies directed you to this page, it's because you reported an email message from one of our customers as “spam”.

We take these complaints seriously and investigate each one, but in this case, the message wasn't actually sent by one of our users: it was sent by a spammer who forged the email address of that user.

On this page:

About forged addresses

Almost no spammer uses his own address when he sends a message, because that would allow ISPs to easily block the spam. Instead, spammers forge other people's addresses. They prefer to use “real” addresses from working domain names, because those are less likely to be rejected by spam filters than completely fake addresses.

Almost every piece of spam you ever receive has a forged “From” address.

How can someone forge someone else's email address?

One of the flaws of the Internet mail system is that some ISPs allow any of their customers to send email using any address they want. For example, with many ISPs, you could open your mail program settings and change the “From” address to be "president@whitehouse.gov", and every message you sent from then on would say it was from “president@whitehouse.gov”. If you did this and sent spam, the “From” address would say “president@whitehouse.gov”, even though you had no access to the U.S. President's mailbox and the President had nothing to do with the message.

In short, you can’t trust the "From" address on a piece of spam, because the address that appears there can be anything the spammer wants to use.

This might seem surprising, but if you think about it, this is the same way paper mail works: you can send a paper letter that forges someone else’s address in the top-left corner of the envelope, even if you don't have access to that person's house mailbox. If the letter was malicious, the recipient would probably realize that it didn't really come from the person shown as the “From” address on the envelope.

So Internet email is no different than paper letters. It’s just more of a problem because it costs spammers almost nothing to send a message. These forgeries are happening all the time.

If your customer didn't send it, how can I tell who did?

There are several free services that will perform a detailed technical analysis of a spam message, telling you where it really came from (ignoring the forged “From” address and using the “Received” headers instead, which are like Internet postmarks) and automatically reporting it to the right party if you wish.

The most popular service (and one that we use ourselves) is SpamCop. It is extremely accurate at figuring out the real source of a spam message, and if everyone used it, there would be much less spam on the Internet. We strongly recommend using SpamCop to report the message you received — it will send the complaint to the ISP involved, and you should find that it does not send a report to Tiger Technologies.

How can I make sure I don’t receive forged spam?

The company that handles your incoming mail should be able to help with this. They should be able to detect and block most forgeries.

On a technical level, the messages our customers send are signed with DKIM and should pass SPF checks. Receiving mail servers can use that to detect and block mail that isn’t correctly signed, or which originates from invalid mail servers.

But I’m sure the mail isn’t forged, because the spam is being sent to a real contact list the address uses.

This is common, and doesn’t mean it’s not forged. It happens when spammers get hold of someone’s email password (perhaps through a security breach), then use that password and automated software to login and read the “From” address on each message in the Inbox.

After doing that, the spammers know who the address exchanges mail with. They “remember” the group of addresses and use various combinations as part of their forgeries. Importantly, they already have this information even if the password to the mailbox is later changed.

This use of known contacts makes it look like the real address is sending the spam, even though it’s not. (That’s the reason the spammers do this, of course: it makes it look even more “real”.)

So spammers can forge any address they want on any mail, and the fact that you “recognize” the address doesn’t mean it’s not forged. The only way to tell if mail is forged is to examine the “Received” headers to see where it came from, or to check the SPF source or DKIM signatures, as described above.