Email, Spam Control, Returned email from messages I never sent (email forging, spoofing, backscatter)

I received a mailer daemon email message or returned email about an email that I never sent.

Those who send spam or viruses often use tricks to hide their identity, cause confusion, or increase the chances of you opening their email messages. One of these tactics is known as "forging", or faking the email address in the From field of an email by listing a legitimate email address such as yours.

Because of forging, you might receive messages in your email account that appear to be a response to email you sent (these are called backscatter). These messages might have "Re:" in the subject line, contain "mailer daemon" errors, or look like they were returned by a company's anti-virus software. Additionally, some viruses look like rejected email so that you are more likely to open it to see what message you supposedly sent and thus inadvertently infect your computer with the virus.

A typical backscatter event goes like this:
  1.     A spammer sends spam to user@foo.com using your sender address (for example) netid@illinois.edu.
  2.     The foo.com mail server rejects the mail, either because the message is identified as spam, or because the recipient does not exist.
  3.     A bounce or automated reply is generated and sent back to netid@illinois.edu. The original spam content may or may not be included.
  4.     The bounce arrives at UIUC and is either filtered by Tech Services Spam Control or delivered to netid's inbox.
If you suspect you've been spoofed then you need to verify your account has NOT been compromised. Looking at the contents of your "Sent" folder will help you determine if your account was compromised.  

If your account has been compromised/hacked then you will see the spam in your "Sent" folder.   This is a good indicator that someone has logged into your account and is sending spam as "you."   If you suspect your account was compromised, then IMMEDIATELY change your password and send an email to security@illinois.edu informing the team of the compromise. They can help identify the source of the compromise and monitor the account to verify it's no longer compromised.

If your Sent folder doesn't contain the spam messages then your email may have been spoofed.

Unfortunately you/we cannot stop a spammer or virus from sending email as if it came from your account. Fortunately, backscatter outbreaks are often short-lived. Spammers will usually use a forged address for a short time, then move on to a new victim. In our experience, the spam stops in a day or two after the spammer moves on to another email address.

Your best recourse for these unwanted return messages is to set up filters that discard or reroute all mail with a subject line that includes one of the following:

Returned mail
Undelivered Mail Returned to Sender
Delivery Status Notification (Failure)
Delivery Notification






Keywords:forging spam control spoof spoofing returned receive received scatter bounce bounceback   Doc ID:49132
Owner:Email Relays E.Group:University of Illinois Technology Services
Created:2015-03-18 11:20 CDTUpdated:2017-03-01 13:51 CDT
Sites:University of Illinois Technology Services
Feedback:  2   1