where “firstname.lastname@example.org” is someone I don’t know, but “email@example.com” is, in fact, my email address. It as if I was getting spam from myself, but I did not send it.
How do I stop these emails from coming into my inbox? How do I stop them from being sent? It’s usually for drugs or financial services that I don’t need or would never be interested in. How can they use my own email? I can’t block them, as it says it is illegal to block my own email.
I’ll start with the bad news: there’s almost nothing you can do.
This is spam, pure and simple. Abusing your email address is only one of many techniques spammers use to throw their garbage into our mailboxes.
The remedies are pretty standard, albeit less than 100% effective.
Become a Patron of Ask Leo! and go ad-free!
What you’re seeing is called “spoofing” (or more correctly “From: spoofing“): sending email appearing as if it’s coming From: someone that it isn’t.
Spammers hide their email’s origin, and do so very effectively. Spoofing is used in almost all spam you see.
And it’s quite easy.
The From: address is meaningless on spam — it tells you absolutely nothing.
There’s nothing in the email protocol requiring that the From: line of a message has anything to do with the message’s true origin. To discover the true origin requires more detailed analysis of email headers (which you normally don’t see), and even then, at best you might be able to get the IP address of the computer sending the email.
And as I’ve discussed ad nauseam, the IP address is pretty much useless to you and me.
That you’re seeing your email address in the From: field of spam shouldn’t alarm you. It might be annoying, but there’s no need to worry about it. You’re already on spammer’s lists to get spam, and they’re using that same list, or variations of it, to select which addresses to use when spoofing.
Currently, there is no effective way to stop them.
Why you’re getting it
When you see your own address spoofed in the From: field of spam, it’s generally happening for one of two reasons:
- They’re trying to spam you, and know it’s unlikely you’ll block email from yourself. In fact, as you’ve seen, it’s not even always possible — but I’d consider it a bad idea, even if you could. It would prevent legitimate email from reaching you.
- They’re trying to spam someone else, and what you’re seeing is a bounce message indicating that the original spam was rejected by its intended recipient. Since the email looks like it came from you, you get the bounce message.
Now, as to why the “firstname.lastname@example.org <email@example.com>”, where the two email addresses don’t match, or the more common “Name <firstname.lastname@example.org>”, where the name is obviously unrelated to the email address, I can only speculate. My guess is it’s either intentionally confusing, to boost the chance recipients will open the email, or a side effect of the tools spammers use, which may not be able to put together a proper name/email address pair.
What to do about it
There’s nothing you can do to prevent From: spoofing.
Spammers can put whatever they like in the From: line. If they want to put your email address there, they can.
The good news is, most automated spam filters realize the uselessness of the From: line, and probably won’t start blocking the email you send because some spammer happens to be using your address. Naturally, some people might not realize this, and they could try blocking you, but given that spammers spam everyone, the chances that it’s someone you know or care about is pretty slim.
The only thing you can do is to keep doing whatever it is you do to control spam. Typically, that’s marking spam as spam and moving on with your life.
The one thing to watch for
I want to be clear: since you’re able to log in to your own account to get your mail, what I’m about to caution you about is not very likely.
But it is possible.
Sometimes you’ll get spam from yourself if your account has been hacked.
You can log in to your account, so if your account has been hacked, the hackers didn’t change the password. That’s unusual. Normally, a hacked account means you can’t log in.
Nonetheless, it’s something to be aware of, and perhaps check. For example, check the Sent Mail folder to see if there are messages you didn’t send. If so, take all the precautions outlined in Email Hacked? 7 Things You Need to Do NOW.
Even if you don’t find any hard evidence of a hack, there’s no harm in changing your password, just to be on the safe side.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,