ItsGeekToMe.co

Q: Lately some spammers have spoofed my email address and are sending out spam with my address in the “From” and/or “Reply To”. As a result my inbox is being flooded with bounced emails coming from whenever the spammers use a bad “To” address or when the recipient has an active anti-spam mail box that bounces back every unknown sender. Short of changing my e-mail address, what are my options to eliminate this flood of bounced emails coming to me?

– Kris W.
Destin, Florida

A: It actually took a little bit of detective work, and working with Kris for a couple of days to fix this problem.  So, rather than address Kris directly as I usually do my readers, I’m going to tell the story of what we did instead.

Anyone who has read my column for longer than a few months has surely seen me advise about protecting e-mail addresses and passwords. There are all kinds of things that can happen when a bad guy manages to get hold of your account information.  The problem Kris had fell into the category of “annoying, but tolerable” until we finally discovered what was happening.  I say that because the problem didn’t cause any immediate financial harm, i.e. – the bad guy wasn’t draining Kris’s bank accounts.  Kris was even still able to access and use his computer normally.  In fact, except for all of the bounced e-mail, there was no sign at all on Kris’s computer that anything was awry.  As we would come to find out, that’s because all of the e-mailing was being done on a completely different computer.

It was a relatively simple matter for me to examine the header of one of the bounced e-mails and determine the IP address where it had originated. It turned out that it came from the web server that hosts a website for Kris.  So, Kris contacted the servicing Internet Provider, and after a few back and forths, they told him that someone was using a web bot to access an e-mail form on Kris’s website, which was sending out hundreds, possibly thousands of SPAM e-mails.  Since the e-mails were originating from Kris’s account, any that failed to safely arrive in an inbox were generating a bounce notification.   These notifications were automatically routed back to the sender’s e-mail account, resulting in Kris’s inbox flood.  In this case, even changing the e-mail account’s password wouldn’t stop the spam, since its ultimate source was an automated web form.  What finally worked was adding a CAPTCHA test to the form.  I’ve talked about CAPTCHAs before (I.G.T.M. #299 – Apr 14, 2013).  CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart.  These are those pictures of deformed letters and numbers that are relatively easy for a human to read, and difficult to impossible for a computer to read.  The CAPTCHA stopped the spambot in its tracks, so the spammer moved on to the next victim on his list. Pretty nefarious, eh?  And people wonder why I vehemently detest spammers.

Although Kris’s problem could not be solved with a password change, odds are, if something like this happens to you, that’s what most likely will fix the problem. Don’t forget to follow the rules of good password generation.  Specifically: A) Use passwords that are at least 8 characters in length – the longer, the better, B) Create passwords that include both upper and lowercase letters, numbers, and special symbols C) Don’t use names, significant dates, or other easily guessable information as passwords, D) Don’t share passwords among accounts – use a different password for everything you access.  There are more, but following even these few simple guidelines will result in strong, difficult to guess passwords, not just for your e-mail accounts, but in any situation where password-protection is required.