Spammer uses your FROM address or domain

[--VQ--]

• This tip explains how to block incoming mail from Spammers
  who use your address. If your are concerned with mail they
  send to others (making you look bad), see this tip instead.

Question
I'm getting Spam in my IN Box because the sender uses my own "From" address or my personal/corporate domain. How can I fight back?

Answer
If you receive spam that shows your own From address or has a gray Control Stripe that says "Domain ALLOWED", it means that your address or domain has found its way onto your Allow List. Thus, mail is admitted from anyone claiming to have your address or domain. It's a simple deception, because there is no unversally accepted standard for verifying sender addresses. Fortunately, Vanquish makes it easy to foil these spammers!

• Remove your own address from the Allow List
  
  Click here. Place a check next to your own address(es) and click Remove (this button is at the top and bottom of the list). Don't worry. You can still send mail to yourself and it will be delivered. (details below). If you use vqNOW (and not vqME), remove all addresses at your own domain from the Allow List. Their email will contain a signature that proves that they are trusted by you.
  
  
• Place your own domain (ISP/corporate/personal) on the Domain-Exclude list
  
  Click here. Place a check next to popular domains and any that are part of your own address(es). Then click Move to: Exclude Domain). If you have other domains that fit this description, add them into the box at the top of the list and click Exclude Domain.

You might wonder how your email address got onto your Allow List. It occurred when you imported your address book or, perhaps, when you sent mail to yourself from a another PC (you may have solved a challenge, thereby adding the address to your list of allowed senders).

So how can you continue to send mail to your own protected account? -an ability that is useful to many email users. If you are using our vqME service, your mail will always be bonded - even when sending from a public PC such as from an airport or cafe. Just log into vqME.com or adjust the email program settings. Since the bonding technology resides on the mail server, you can send to yourself or to others from anywhere! Visiting vqME.com is an ideal technique, because you needn't do anything special to include your own address in a mailing. And bonds cannot be forged.

You can also send to yourself by using a special address that tells Vanquish the sender is trusted regardless of the From address. See this power tip for more details.

The surfmatch feature automatically admits mail from any domain that you have logged into. It's a great way to whitelist an entire small businesses, because the process is totally transparent to you. But you certainly don't want to automatically accept all mail from a very popular domains that are used by email services (such as AOL, Yahoo.com or gmail.com). That's why these companies are listed on your Domain-Exclude list. This is not a block list, but simply a list of domains that are excluded from the SurfMatch feature. [details]

Likewise, your own domain should be on the Domain-Exclude list, whether it is an ISP (for example, comcast.net) or your own personal/business domain. That's because spammers often use addresses that appear to come from your own domain to increase thei chances of being admitted by filters.

[seiser.com]

I suddenly get massive amounts of spam using the e-mail address of some of my friends in the From field. It doesn't seem logical to exclude them from the allow list since then my friends couldn't send me an e-mail anymore. They have Yahoo accounts, so I can't exclude their domain either. Am I missing something here?
How do spammers get the e-mail addresses of my friends in the first place?

[--VQ--]

The above tip easily blocks spammers who spoof your own address. But the forgery of a friend's address (a less common problem), poses a more complex challenge...

Spammers rarely know with whom you communicate. But sometimes they can get this information by planting viruses into mail servers and routers (not necessarily in a user's PC). The virus only needs to sniff the email headers (From/To/Cc) to compile a list of email friendships. In much the same way, we maintain your Allow List, but we do this as your agent rather than your adversary.

When spammers have access to the address of a friend, you quickly discover that the Allow List is not an authenticated mechanism. In fact, ISPs permit senders to use any From address, because they know that users often wish to show their own custom domain, their work address, or their alternate persona.

If spammers are posing behind the address of someone on your Allow List, you have three options:

• If they work for your own company (that is, they have the same custom email domain as you), then switch from vqME to vqNow, our small business platform. It protects your entire business rather than just your address. More importantly, email sent between members of your domain (and any user with compatible security throughout the world) includes proof that theh sender already knows you and that you have exchanged mail with them before.
  
  
• Alternatively, get your friend (the one whose address has been fraudently adopted by spammers) to use vqME or any ISP that has adopted Trust Bond technology. Ask us! We'll find one in his neighborhood. Just contact us.
  
  
• Alternatively, create a custom address for that individual. You can do this at vqME or with your own ISP or hosted domain. (It is better to create an ISP address because then you do not need to create a separate email program account to retrieve mail). Place the address on your List-Allow List. For more information see this or that.

Finally, whenever you receive mail that shows a long list of recipients, encourage the sender to never put addresses on the TO or CC lines when sending to a group. The addresses should always be placed on the Bcc line. (They should place at least 1 address on the TO line - but this can be a "dummy" address. That's because some ISPs reject email that has no recipient address).

[seiser.com]

Thanks VQ,
The first two paragraphs make perfectly sense.

Good point in the third paragraph. I agree, that a reputable server should allow the sender to set his "From" e-mail address. But then my friend's e-mails would always come from this server, and that would give me another way to identify him. The server is much harder for spammers to fake, I assume.
Maybe this is a feature that could be added to Vanquish at some point. It wouldn't have to be for all senders, just optional for the few friends that were compromised.

Fourth paragraph: Yes, I have an own domain, and I have created a few custom addresses for certain institutions that I put on the List-Allow List. I just feel bad to tell my best friends to not use my main@mydomain.com anymore and instead use friendidentifier@mydomain.com. And wouldn't the spammers soon get their fingers on that custom address, too, if they catch my friend's e-mail to me? Then I would have to constantly give my friend a new e-mail address.
Further, it looks like I would still show my main@mydomain.com address in the "From" or "Reply To" field when I send an e-mail to my friend (since I can't make up that many special accounts, and also I don't want spammers to catch it again by screening my sent e-mail). If he hits reply, he will send it to the blocked main@mydomain.com address. I do have to block my friend's email (friend@hisdomain.com), don't I, because that is the identity that the spammers got their fingers on. Or does the reply- topic detection now come in and override his blocked address?

If in this last two sentences, I understood something wrong, let me know.

[--VQ--]

Here are some very quick thoughts about three issues in your reply. I would be happy to follow up on the phone (it's late and this also overlaps with other postings).

• Don't block your friend's email address. The block list overrides all other methods. Even if it did not, you wouldn't want to automatically block him if he uses your main address.
  
  
• We chose to avoid matching servers with senders - unless the owner of the sender's "claimed" domain publishes an SPF record (a list of legal IP addresses for anyone showing an address with that domain). That's because the user is free to send from other SMTP servers by domain policy. For example, an airport, a cafe, a friends office, etc. Of course, the sender should really access his own mail server from these locations, but often - people use a kiosk as it was intended.
  
  
• I doubt that you would need to keep giving your friend a new address. The mechanism that revealed your contact information to a spammer is probably rare - and may even be a letter that was posted somewhere online (For example, someone may have posted an email from a different sender that had both you and your friend on the Cc line). That letter will be a static thing with an old address. Additionally, your friend would not have to remember your custom address. It would just replace an entry in his address book. He would still write to you using your real name. If he is away from his PC, he would use your main address and the smart filter or the challenge would let his mail through in short order.

[seiser.com]

VQ,

1. Thanks. Ok, so I only remove them from the Allow-List but don't put them on the Block-List.

2. Good, I didn't know how it works. I just assumed that my friends sending from Yahoo might always send from the same mail-server, or at least from a handful of servers. Then I would have had the chance to add these few servers over time to their name. I thought that this might have worked as an additional feature.

3. Ok, it will probably work.

Sorry to keep asking more and more questions, but at least all other users might benefit from reading this forum as well.
a) If I send an e-mail to my friend, wouldn't he automatically get on the Allow-List (by way of auto)? Then the spammer pretending to be them would again get through.

b) If my friend is now not on the Allow-List anymore, and a spammer sends me an e-mail pretending to be my friend, what happens? Wouldn't a challenge get sent out, and wouldn't that challenge be sent to my friend? That would be really annoying and confusing for him. Or does the challenge somehow go back to the original sender of the spam?

[--VQ--]

Those are two really good questions. It's not often that I am stumped, but I want to think about this and discuss them both with my colleagues. This time, your questions are not "newbie" issues - but rather well thought out conundrums that may provoke new development effort.

I predict that you will soon be asking for admin status so that you can answer questions from other clients. When that happens, I shall retire - knowing that our customers are in good hands.

Incidentally, send us the IP address of the spammer - or the full headers of a message that forges your friend's email address. If the sending server is not sending desirable mail to many users, we will block the IP address globally. That should take of this problem.

[seiser.com]

Ok, I thought I post this in order to close the chapter.
I figured out that the spammer who pretended to be some of my friends was another guy I know. He tried to defeat my new system at vqme.com and forwarded spam to me by changing his from address to an e-mail address of another friend of mine in the allow list.
A few comments:

1.) I didn't think it was funny, since I really wasted a lot of time, but I am not sure what action I should really take either.

2.) It seems that this case really doesn't occur very often, and one might check if it is a guy playing a prank.

3.) How I found out was to look more closely at the headers. In this case he sent all from his home, but he could have sent them from internet cafes.
This was the section at the bottom of the header to look at:
Received: from [phonydomainofanotherfriend] (cpe-75-80-161-89.san.res.rr.com [75.80.161.89])
by ms-smtp-02.socal.rr.com (8.13.6/8.13.6) with ESMTP id l0R3QNjc026425
for <[myemailaddress]>; Fri, 26 Jan 2007 19:26:24 -0800 (PST)
Message-ID: <45BAC61A.776855F5@[phonydomainofanotherfriend]>

So 75.80.161.89 is the sender's IP address, and that was always the same on all the spam I received.

4.) Thanks to --VQ-- for all the support and help to sort this thing out. It has made it now even more safe for me.