I received a lot of complaints from parties who were spammed by my domain, but I never sent out anything! Do you have any advice?

Regrettably, this is not news to anyone who is familiar with how email is sent on the Internet. In fact, this problem is so widespread that if you search for "email forgeries" on Google, plenty of links are returned as your query result. For instance, the following:

• Email Forgeries - from The Gadwall Group
• Tracking the source of email spam
• Reading Email Header
• Basic Spamfighting from SORBS

It is of interest to note that even the widely used real time spam blocking site spamcop.net suffers such forgeries from time to time. In the spam industry, this kind of trickery is also called "joe-jobbing". You may wish to read an article from TechTV that provides you more background.

You will also want to check Reuter's Article:"Is Your PC Sending Viagra Spam Behind Your Back?"

Also of note is the fact The House of Representatives have passed an anti spam Law. This law will go into effect January, 2004. You can check out News.com's article regarding the law here.

If you are technically inclined, the following UNIX manual page should prove a good read: forgeries - how easy it is to forge mail.

The main page is written by Dr. Dan Bernstein, creator of the excellent, freely available, email system qmail for UNIX.

Think of the envelope of an email as the regular envelope. If you wanted to, you could write "any" address in the return address portion on the envelope. The post office can be equated to an ISP, so it will deliver your mail regardless of the return address. Of course, if the address says Iceland, but the mail was sent from San Francisco, you know something is up. Regretably, the ease of sending email allows spammers to make the forgeries discussed above on much larger scale and more often, so it's much harder to counter.

You may be thinking the situation is hopless. It's not. There are a few things you can do:

• Ask whomever complains to you to send you a copy of the full envelope from the spam message they received. If this person doesn't know what an email envelope is, ask the party to review the following AZC online FAQ: http://www.azc.com/htmls/faqs/unable_to_smtp.html#envelope, and the above links from Google search.
• Identify the origin of the spam using the tips given in the google search links above.
• Inform the recipient that you have nothing to do with the sending party (e.g. you are never a user of the ISP whose mail server(s) were used for sending the spam.)
• Also, refer the recipient to the above links so that s/he can gain an understanding that accusing others for sending a spam is not a trivial matter. Just because the From: line of a message shows it's from certain person, doesn't mean it is "in fact" from that person at all. The history of the message embedded in the envelope should help to verify this to great extent, but not 100%!

In other words, tell the affected party that for a spam, the From: line shown in a typical email reader software is not very trustworthy at all. Most spammers use others' identities in this line to hide their trails. Harassing these victimized innocent parties is not advised, as it punishes innocents.

• Inform the upstream connectivity provider of the spam sending party directly All established ISPs have an Acceptable Usage Policy that forbids users from sending spam.

Of course, if you routinely use cryptographic software such as GnuPG, then it's very easy for you to refute a complaint. Simply tell the victim that the spam doesn't contain your cryptographic signature, so it's not sent out by you.

A final word: to fight an enemy effectively, you need to know your enemy well. So, we encourage you to learn more about fighting spam as soon as possible.

faq's quick search