Receiving fake spam emails on Thunderbird from myself

How to block yourself?

What’s happening here is that spammers are spoofing your email address in an attempt to bypass any kind of spam protection you have. Unfortunately, depending on how your business’ spam protections are set up, this is actually a decently effective trick.

You didn’t provide a ton of details about what you do, but I think the first, best step is to go bug your IT team — if you have one — and get them to set up server-side rules that check to see if an email is being sent from outside your organisation but using your organisation’s domain as part of the sender’s (fake) email address.

That process isn’t really one I can speak to, as I’ve never done it, but your IT team should be able to set this up. Additionally, whoever is in charge of your business’ infrastructure will want to make sure they have set up , which are all ways you can help establish that emails being sent from your domain are authentic (and emails you receive that are seemingly from your domain, but really aren’t, are correctly marked as spam).

If you own your own domain and your business is a company of one, it’s worth exploring what documentation your web host has on these three protocols. Your host might be able to spell out how to set them up in an easy-to-understand fashion, which could give you a great tool in your fight against, well, your self-spam.

Without Outlook itself, make sure you’re using the program’s spam-fighting capabilities to their fullest. In my version of Outlook, I can access the junk mail filter by clicking on the Home tab and the tiny Junk shortcut (to the right of “New Email” and “New Items”).

Screenshot: David MurphyScreenshot: David Murphy

Screenshot: David Murphy

In the drop-down menu that appears, click on Junk Email Options and make sure it’s on, first of all, and set to a level you’re comfortable using. Definitely go “low” at least; consider “high,” but you’ll want to check your Junk Email folder from time to time in case anything legitimate gets caught up in the filter. You can also set it up so that only email addresses or domains on a whitelist can make it into your inbox, but that probably won’t solve your “sent from myself” issue, as it sounds like you don’t necessarily want to block your own email address.

While I’m thinking about it, check your sent folder to make sure that you aren’t sending out this spam to, well, yourself. I doubt this is the case but, if so, that’s a whole new problem: one that involves changing your passwords, disabling access to third-party apps that you’ve tied to your email account, et cetera. (In short, you’ve been hacked somehow, and spammers are actually blasting email from your address.)

You can try installing a third-party app like Mailwasher to help you deal with your spam issues. I haven’t used this one myself, but the free version is worth investigating to see if it can actually help you cut down on spoofed emails.

If you’re still having issues, you can also try creating a new email alias at your company. Filter any messages that come from your “old” email address into the trash, and only use this new email when you’re meaning to send messages to yourself. It’s a crude workaround, but a simple one.

Finally, if you’re a team of one and you’re just using your webhost’s email capabilities to receive messages for your business, you might want to consider contacting them to make sure you’ve enabled any and all spam protection for your domain. You can also consider setting up a service like Google’s G Suite for your domain.

It will cost you $US5 ($7) monthly, but Google’s built-in spam-fighting capabilities are pretty formidable, and you’ll still be able to use Outlook to view your emails if you want.

Video

Why you’re getting it

When you see your own address spoofed in the From: field of spam, it’s generally happening for one of two reasons:

  • They’re trying to spam you, and know it’s unlikely you’ll block email from yourself. In fact, as you’ve seen, it’s not even always possible — but I’d consider it a bad idea, even if you could. It would prevent legitimate email from reaching you.
  • They’re trying to spam someone else, and what you’re seeing is a bounce message indicating that the original spam was rejected by its intended recipient. Since the email looks like it came from you, you get the bounce message.

Now, as to why the “someone@somedomain.com <myemail@outlook.com>”, where the two email addresses don’t match, or the more common “Name <myemail@outlook.com>”, where the name is obviously unrelated to the email address, I can only speculate. My guess is it’s either intentionally confusing, to boost the chance recipients will open the email, or a side effect of the tools spammers use, which may not be able to put together a proper name/email address pair.

Use DoNotPay to Stop Junk Mail From Your Own Email Address

Whether you want  to stop receiving unwanted email

Whether you want to stop receiving unwanted emails from your email address or to stop spam emails altogether, DoNotPay can help. 

DoNotPay is the first virtual lawyer in the world, and its new feature—the Spam Collector—will block anyone from sending you spam emails, even if those emails appear to be coming from your email address. 

Here is how to get your revenge on spam emails with our app:

  1. Open DoNotPay in your web browser
  2. Click on the Spam Collector option
  3. Enter your email address to connect it with DoNotPay
  4. Forward the next email you receive to spam@donotpay.com 

Once you complete all the steps, you won’t get any more emails from that sender anymore. DoNotPay will also notify you if there is a class action against the sender. Look for the flag in the Spam Collector tab on your DoNotPay dashboard, and if there is an active class action, you can add yourself to it.

What Email Services Do to Combat the Problem

This email appeared to come from our personal addr
This email appeared to come from our personal address, but a look at the headers reveals this is a simple email change trick.

The fact that anyone can fake a return email address so easily is not a new problem. And email providers don’t want to annoy you with spam, so tools were developed to combat the issue.

The first was the Sender Policy Framework (SPF), and it works with some basic principles. Every email domain comes with a set of Domain Name System (DNS) records, which are used to direct traffic to the correct hosting server or computer. An SPF record works with the DNS record. When you send an email, the receiving service compares your provided domain address (@gmail.com) with your origin IP and the SPF record to make sure they match. If you send an email from a Gmail address, that email should also show that it originated from a Gmail-controlled device.

Unfortunately, SPF alone doesn’t solve the problem. Someone needs to maintain SPF records properly at each domain, which doesn’t always happen. It’s also easy for scammers to work around this problem. When you receive an email, you might only see a name instead of an email address. Spammers fill in one email address for the actual name and another for the sending address that matches an SPF record. So, you won’t see it as spam and neither will SPF.

Companies must also decide what to do with SPF results. Most often, they settle for letting emails through rather than risking the system not delivering a critical message. SPF doesn’t have a set of rules regarding what to do with the information; it just provides the results of a check.

Advertisement

To address these issues, Microsoft, Google, and others introduced the Domain-based Message Authentication, Reporting, and Conformance (DMARC) validation system. It works with SPF to create rules for what to do with emails flagged as potential spam. DMARC first checks the SPF scan. If that fails, it stops the message from going through, unless it’s configured otherwise by an administrator. Even if an SPF passes, DMARC checks that the email address shown in the “From:” field matches the domain the email came from (this is called alignment).

Unfortunately, even with backing from Microsoft, Facebook, and Google, DMARC still isn’t widely used. If you have an Outlook.com or Gmail.com address, you’re likely benefitting from DMARC. However, by late 2017, only 39 of the Fortune 500 companies had implemented the validation service.

Tags

Leave a Reply

Your email address will not be published.