Why did I get a message saying I sent spam?
Occasionally, you might receive one or more "bounce" messages or "out of the office" messages saying that you sent a spam message to a nonexistent address, even though you know you didn't send it. Or someone might tell you that they received a spam message that appeared to come from your address. In some cases, spammers might even use your own address on spam or scams they send to you.
This can be quite alarming — it makes it seem that someone is using your account without your knowledge.
However, the spammer probably did not send the message through your account or our servers, and he has no access to your account or email, especially if you’ve changed your email password.
Instead, the spammer likely just “forged” your address as the return address of a message he sent through unrelated servers.
On this page:
- About forged addresses
- Will I get blamed for the spam?
- How can someone forge my address without access to my account?
- If they aren’t sent through my account, how is the spammer sending messages to people I know?
- How can I know for sure if this is what’s happening?
- Why did a spammer choose to use my domain name?
- What can I do about it?
- Why do I continue to receive bounce messages for five days after the spammer stops using my address?
- Are there technical solutions like “SPF”, “DKIM” and “DMARC” that can help stop forgeries?
About forged addresses
Almost no spammer uses his own address when he sends a message, because that would allow ISPs to easily block the messages. Instead, spammers forge other people's addresses. They prefer to use addresses from real working domain names, because real domain names are less likely to be rejected by spam filters.
This is an extremely common problem on the Internet. Almost every piece of spam you ever receive uses the forged "From" address of an innocent victim. Since spammers send billions of messages a day and always need new addresses, they might someday forge your domain name, too.
Will I get blamed for the spam?
No email administrator will think you're responsible for spam just because the spammer used your address as the "From" address. All email administrators know that "From" addresses on spam are usually forged and should be ignored. Automatic spam reporting services such as SpamCop will also ignore the forged sender address. You won't be blamed for it by Tiger Technologies or anyone else with control over your email.
Occasionally a spam recipient who doesn't understand how email works might blame you for it and send you a nasty note. Remember that such people are just frustrated at the spam they receive and don't know what else to do; you can point the person to our page that explain that you didn't send it, which also suggests that the person use a free service like SpamCop to report it to the proper authorities.
How can someone forge my address without access to my account?
A weakness of the Internet mail system is that many ISPs allow any of their customers to send email claiming to be from any address they want. For example, with many ISPs, you could open your mail program settings and change the "From" address to be "firstname.lastname@example.org", and every message you sent from then on would say it was from "email@example.com".
What's more, if you sent a message to an invalid address, the "bounce" would go back to "firstname.lastname@example.org", even though you had no access to the U.S. president's mailbox and the president had nothing to do with the message that was sent.
What this means is that pretty much anyone (including spammers) can forge any address, including your address, on an email message, even if they don't have access to your email account.
That might seem surprising, but if you think about it, it's the same way paper mail works. Someone could send a paper letter that forges your postal address as the "from" address on the envelope, even if they don’t have any access to your house. If that letter was undeliverable, it would be "returned" to you at the forged address.
So Internet email is no different than paper letters. It's just more likely to happen because it costs spammers almost nothing to send an email message.
If they aren’t sent through my account, how is the spammer sending messages to people I know?
If a spammer guessed or obtained your email password (perhaps because you used the same password elsewhere), then accessed your mailbox, they can build a list of addresses you send mail to or from. They can then use that list in their forgeries, even after you’ve changed your password to prevent them from sending through our servers.
How can I know for sure if this is what’s happening?
If you have a copy of the spam message, you can view the full headers of it, which are the equivalent of Internet postmarks. The full headers include technical information that show where a message was really sent from.
Among other information, the full headers will always include two or more lines that start with “Received:”, like this example:
Received: from mail.example.com (mail.example.com [ 10.1.2.3 ]) by mail.example.com; Fri, 31 Dec 2099 23:59:59 -0800 (PST)
You should read these “Received” headers from bottom to top (the bottom-most one is the first one and shows where the message started from). You’ll probably see that the first header says it was sent through a different server, not a tigertech.net mail server. If so, that confirms that the spammer does not have access to your real account.
Why did a spammer choose to use my domain name?
The spammer almost certainly didn't pick you specifically. Spammers use automated software that chooses "From" addresses at random based on huge lists of domain names and email addresses. They forge hundreds of thousands of different domain names on billions of messages every day.
Anyone who owns a domain name for several years will find it happens to them at some point. Our own tigertech.net addresses are sometimes used in spam forgeries, just like others.
What can I do about it?
The first thing we'd recommend is that if you use the "Catch All" address, turn it off unless you really need it. That will make sure you don't get any misdirected responses sent to addresses that don't really exist.
Turning off the catch-all address also makes your domain name less attractive to spammers who forge addresses. That's because spammers want to use valid addresses in their forgeries (some anti-spam systems actually check this), but they also want to change the forged address on each message so that recipients can't easily block an address to prevent spam. They're actively looking for domain names that use a catch-all address, because it allows them to easily forge an infinite number of "valid" addresses. Turning off the catch-all address solves this problem in most cases.
Beyond that, there is unfortunately little you can do about this except take comfort in the fact that most spammers regularly switch forged addresses to make their spam look different, so the problem will stop by itself. It's unusual for a single spammer to keep using a domain name for more than two days if you aren’t using the catch-all address.
Why do I continue to receive bounce messages for five days after the spammer stops using my address?
Many servers that forward mail try to deliver it for five days, then “bounce” it if it’s still undeliverable. This means that it’s common to receive a fresh set of bounce messages for several days, especially on the fifth day. It usually doesn’t mean there’s a new problem — it’s just the end of the original problem.
Are there technical solutions like “SPF”, “DKIM” and “DMARC” that can help stop forgeries?
If you only send “@example.com” mail through our company’s servers (and never though third-party servers), we can strengthen the DMARC record to indicate that mail sent through any other servers claiming to be “from” your domain name is always a forgery, making forgeries even more likely to rejected (this is called a DMARC p=reject policy). Just let us know if your email is being forged and this applies to you.
Unfortunately, SPF, DKIM and DMARC only work if the receiver uses them, and not all receivers do that yet. Even worse, some receiving mail servers will initially accept a forged message, then send you a bounce when they find the SPF or DKIM don’t match. This is a good sign in that it means they’ve blocked a spammer from forging your domain name, but it’s still annoying to get “bounces” for messages you never sent.
Keep in mind that SPF, DKIM and DMARC can’t prevent spammers from trying to forge your domain name in spam they send through unrelated servers. These technologies just make it easier for receiving servers to detect when those forgeries are happening and reject the mail. This can paradoxically sometimes increase the number of bounces you see.
Copyright © 2000-2021 Tiger Technologies LLC