When it’s from you, but it’s not you.
where “email@example.com” is someone I don’t know, but “firstname.lastname@example.org” is, in fact, my email address. It was as if I was getting spam from myself, but I did not send it.
How do I stop these emails from coming into my inbox? How do I stop them from being sent? It’s usually for drugs or financial services that I don’t need or would never be interested in. How can they use my own email? I can’t block them, as my email program says it is illegal to block my own email.
I’ll start with the bad news: there’s almost nothing you can do.
This is spam, pure and simple. Abusing your email address is only one of many techniques spammers use to throw their garbage into our mailboxes.
The remedies are pretty standard, albeit less than 100% effective.
Become a Patron of Ask Leo! and go ad-free!
Getting spam from yourself
The email protocols make the “From:” line pretty meaningless because it is so easy for spammers to send email that looks like it came from you. This is typically not a sign of a hack. It’s also not something you can avoid. All you can do is keep marking spam as spam.
What you’re seeing is called “spoofing”, or more correctly, From: spoofing: sending email that appears as if it’s coming from someone it isn’t.
Spammers hide the origin of their emails effectively. They use spoofing in almost all spam you see.
And it’s quite easy.
So easy, in fact, that the From: address in spam tells you absolutely nothing. There’s nothing in the email protocol requiring the From: line of a message to have anything to do with the message’s true origin.
To discover the true origin requires a more detailed analysis of email headers (which you normally don’t see), and even then, at best, you might get the IP address of the computer sending the email. And as I’ve discussed ad nauseam, the IP address is pretty much useless to you and me.
They’re not using your account
Many worry that because the email looks like it came from you means the spammer has access to your email account.
They do not need access to your account to send spam that looks like it came from you.
Don’t be alarmed. It might be annoying, but there’s no need to worry about it. You’re already on spammers’ lists to get spam, and they’re using that same list, or variations of it, to select which addresses to use when spoofing.
Currently, there is no effective way to stop them.
Why you’re getting it
When you see your own address spoofed in the From: field of spam, it’s usually happening for one of two reasons.
- They’re trying to spam you, and know it’s unlikely you’ll block email from yourself. In fact, as you’ve seen, it’s not even always possible. It’s a bad idea even if you could; it could prevent legitimate email from reaching you.
- They’re trying to spam someone else, and what you’re seeing is a bounce message showing that the original spam was rejected by its intended recipient. Since the email looks like it came from you, even though you didn’t really send it, you get the bounce message.
Now, as to why the “email@example.com <firstname.lastname@example.org>”, where the two email addresses don’t match, or the more common “Name <email@example.com>”, where the name is obviously unrelated to the email address, I can only speculate. My guess is it’s intentionally confusing to boost the chance recipients will open the email out of curiosity, or a side effect of the tools spammers use, which may not be able to put together a proper name/email address pair.
What to do about it
There’s nothing you can do to prevent From: spoofing.
Spammers can put whatever they like in the From: line. If they want to put your email address there, they can.
The good news is, most automated spam filters realize the uselessness of the From: line, and probably won’t start blocking the email you send because some spammer happens to be using your address. Naturally, some people might not realize this, and they could try blocking you, but given that spammers spam everyone, the chances that it’s someone you know or care about is pretty slim.
The only thing you can do is to keep doing whatever you already do to control spam. Typically, that’s marking spam as spam and moving on with your life.
The one thing to watch for
I want to be clear: since you’re able to log in to your own account to get your mail, what I’m about to caution you about is not very likely.
But it is possible.
Sometimes you’ll get spam from yourself if someone has hacked your account.
In your question, it’s clear you are able to sign in to your account, so if someone has hacked your account, they didn’t change the password. That’s unusual. Normally, a hacked account means you can’t log in.
It’s something to be aware of and perhaps check. For example, check the Sent Mail folder to see if there are messages you didn’t send. If so, take all the precautions outlined in Email Hacked? 7 Things You Need to Do NOW.
Even if you don’t find any hard evidence of a hack, there’s no harm in changing your password just to be on the safe side.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!