By now, most people are aware that spammers and viruses commonly forge headers to make it difficult to trace the spammers. What some people don't know is that spam now often use a real, existing address in the From header -- but this address has been forged, making it look like the spam came from this person.
The reason I'm writing this page is that I (somewhat frequently) get messages out of the blue, accusing me of various crimes, and it almost always comes back to forged spam. As someone who has his email address plastered over half the net, it loses its charm after a while.
Here's how to tell forged mail from real mail: Look at the complete header of the spam you get; not just the From header. The most important header is the Received header; it (somewhat reliably) tells you what path the mail took to reach you.
Here's an example.
Received: from justine.libertine.org (justine.libertine.org [22.214.171.124]) by hermes.netfonds.no (8.12.8p1/8.12.8) with ESMTP id hBT0ktOn011282 for
; Mon, 29 Dec 2003 01:46:56 +0100 (CET) Received: from 0-yga6.cm.chello.no (0-yga6.cm.chello.no [126.96.36.199]) by justine.libertine.org (Postfix) with SMTP id B642A3A003B for ; Sun, 28 Dec 2003 18:46:47 -0600 (CST) Received: from [188.8.131.52] by 530000x.netIP with HTTP; Sun, 28 Dec 2003 07:39:04 -0500 From: "Lars Ingebrigtsen" To: email@example.com Subject: Give V1agra to your inkjet printer
The most important line here is that final Received line. This line can be forged, too, but usually isn't. It tells us that the message came from 184.108.40.206, which is 0-yga6.cm.chello.no. Now, a real message from me would look like this:
Received: from quimbies.gnus.org (quimbies.gnus.org [220.127.116.11]) by hermes.netfonds.no (8.12.8p1/8.12.8) with ESMTP id hBT8mGOn014127 for
; Mon, 29 Dec 2003 09:48:16 +0100 (CET) Received: from larsi by quimbies.gnus.org with local (Exim 3.35 #1 (Debian)) id 1Aat46-0007QI-00 for ; Mon, 29 Dec 2003 09:47:54 +0100 From: Lars Magne Ingebrigtsen To: firstname.lastname@example.org Subject: Don't give V1agra to your inkjet printer
The important bit here being that the final Received line says that the message came through quimbies.gnus.org, and the first line agrees with that. If the last Received lines point to hosts that are "far" from the address in the From header, it's not unlikely that the address in the From header has been forged.
(This is a very short lesson in reading forged mail headers, and does not take into account all the subtleties of SMTP.)
Feel free to use this page if you, too, are plagued by people complaining about spam apparently "from you".