Why did I get a message saying I sent spam?
Occasionally, you might receive one or more "bounce" messages or "out of the office" messages saying that you sent a spam message to a nonexistent address, even though you know you didn't send it.
This can be quite alarming — it makes it seem that someone is using your account without your knowledge.
However, the spammer almost certainly did not send the message through your account or our servers, and he has no access to your account or email, especially if you’ve changed your email password.
Instead, the spammer simply forged your address as the return address of a message he sent through unrelated servers.
On this page:
- About forged addresses
- Will I get blamed for the spam?
- How can someone forge my address without access to my account?
- If they aren’t sent through my account, how is the spammer sending messages to people I know?
- How can I know for sure if this is what’s happening?
- Why did a spammer choose to use my domain name?
- What can I do about it?
- Why do I continue to receive bounce messages for five days after the spammer stops using my address?
- Aren’t there technical solutions like “SPF” and “DKIM” that can help stop forgeries?
About forged addresses
Almost no spammer uses his own address when he sends a message, because that would allow ISPs to easily block the messages. Instead, spammers forge other people's addresses. They prefer to use addresses from real working domain names, because real domain names are less likely to be rejected by spam filters.
This is an extremely common problem on the Internet. Almost every piece of spam you ever receive uses the forged "From" address of an innocent victim. Since spammers send billions of messages a day and always need new addresses, they might someday forge your domain name, too.
Will I get blamed for the spam?
No email administrator will think you're responsible for spam just because the spammer used your address as the "From" address. All email administrators know that "From" addresses on spam are usually forged and should be ignored. Automatic spam reporting services such as SpamCop will also ignore the forged sender address. You won't be blamed for it by Tiger Technologies or anyone else with control over your email.
Occasionally a spam recipient who doesn't understand how email works might blame you for it and send you a nasty note. Remember that such people are just frustrated at the spam they receive and don't know what else to do; you can point the person to our page that explain that you didn't send it, which also suggests that the person use a free service like SpamCop to report it to the proper authorities.
How can someone forge my address without access to my account?
A weakness of the Internet mail system is that most ISPs allow any of their customers to send email using any address they want. For example, with many ISPs, you could open your mail program settings and change the "From" address to be "firstname.lastname@example.org", and every message you sent from then on would say it was from "email@example.com".
What's more, if you sent a message to an invalid address, the "bounce" would go back to "firstname.lastname@example.org", even though you had no access to the U.S. president's mailbox and the president had nothing to do with the message that was sent.
What this means is that pretty much anyone (including spammers) can forge your address on an email message, even if they don't have access to your email account.
That might seem surprising, but it's actually the same way paper mail works. Someone could send a paper letter that forges your postal address as the "from" address on the envelope, even if he didn't have any access to your house. If that letter was undeliverable, it would be "returned" to you at the forged address.
So Internet email is no different than paper letters. It's just more likely to happen because it costs spammers almost nothing to send an email message.
If they aren’t sent through my account, how is the spammer sending messages to people I know?
If a spammer guessed or obtained your email password (perhaps because you used the same password elsewhere), then accessed your mailbox, they can build a list of addresses you send mail to or from. They can then use that list in their forgeries, even after you’ve changed your password to prevent them from sending through our servers.
How can I know for sure if this is what’s happening?
If you have a copy of the spam message, you can view the “full headers” of it, which are the equivalent of Internet postmarks. The full headers include technical information that show where a message was really sent from.
Among other information, the full headers will always include two or more lines that start with “Received:”, like this example:
Received: from mail.example.com (mail.example.com [ 10.1.2.3 ]) by mail.example.com; Fri, 31 Dec 2099 23:59:59 -0800 (PST)
You should read these “Received”headers from bottom to top (the bottom-most one is the oldest one and shows where the message started from). If none of the headers say it was sent through a tigertech.net mail server, it was a forgery sent through a different server.
Why did a spammer choose to use my domain name?
The spammer almost certainly didn't pick you specifically. Spammers use automated software that chooses "From" addresses at random based on huge lists of domain names and email addresses. They forge hundreds of thousands of different domain names on billions of messages every day.
Anyone who owns a domain name for several years will find it happens to them at some point. Our own tigertech.net address is regularly used in spam forgeries.
What can I do about it?
The first thing we'd recommend is that if you use the "Catch All" address, turn it off unless you really need it. That will make sure you don't get any misdirected responses sent to addresses that don't really exist.
Turning off the catch-all address also makes your domain name less attractive to spammers who forge addresses. That's because spammers want to use valid addresses in their forgeries (some anti-spam systems actually check this), but they also want to change the forged address on each message so that recipients can't easily block an address to prevent spam. They're actively looking for domain names that use a catch-all address, because it allows them to easily forge an infinite number of "valid" addresses. Turning off the catch-all address solves this problem in most cases.
Beyond that, there is unfortunately little you can do about this except take comfort in the fact that most spammers regularly switch forged addresses to make their spam look different, so the problem will stop by itself. It's unusual for a single spammer to keep using a domain name for more than two days if you aren’t using the catch-all address.
Why do I continue to receive bounce messages for five days after the spammer stops using my address?
Many servers that forward mail try to deliver it for five days, then “bounce” it if it’s still undeliverable. This means that it’s common to receive a fresh set of bounce messages for several days, especially on the fifth day. It usually doesn’t mean there’s a new problem — it’s just the end of the original problem.
Aren’t there technical solutions like “SPF” and “DKIM” that can help stop forgeries?
SPF and DKIM / DMARC can help with this, and we do publish SPF records and sign your mail with DKIM if you use our mail servers. Unfortunately, SPF and DKIM only work if the receiver uses it, and not all receivers use them yet.
Even worse, some receiving mail servers will initially accept a forged message, then send you a bounce when they find the SPF or DKIM don’t match. Neither SPF or DKIM can prevent spammers from trying to forge your domain name in spam they send through unrelated servers: they just make it easier for receiving servers to detect when those forgeries are happening. This can paradoxically sometimes increase the number of bounces you see.