ID #234

Someone is sending viruses or spam that appears to come "from" an address at my domain.

Applies to: Grid System

This type of abuse happens frequently to many domain name owners, since spammers rarely use their own domain names in SPAM and viruses select addresses randomly from other people's address books.

Sometimes spammers just make up return addresses to put in their spam and it is a coincidence that this time they chose one that happens to belong to you. Sending an email that appears to have come FROM someone who did not send it is known as "forging email".

Anyone with Outlook or any other email program can forge whatever address they want in the FROM field of an email, regardless of whether they own the domain name in the address, regardless of whether they have permission to use it, and regardless of whether the domain name even exists or is valid. There is nothing that the rightful owner of a domain name can do to stop people from sending out email with an address in the FROM field using someone else's domain name.

There also is nothing that a webhost can do to stop or prevent spammers or virus mails from wrongfully claiming that your email address came FROM or was the sender of a piece of spam or email virus.

The most you can probably do about this is to go to Spamcop and report SPAM and just delete virus mails and the bounce messages that may be coming to you as the purported sender.

The most annoying part of having someone forge your email address in the FROM field of their outgoing SPAM is that nondelivery and other bounce notifications will be returned to you because the undeliverable messages appear to come FROM your address.

There are a couple of ways to avoid receiving those. If the username part (left of the @ symbol) of the forged FROM address is not a mailbox that you set up in your Control Panel, then you are receiving the unwanted messages through your catch-all forwarding rule (The catch-all rule allows you to receive mail addressed to any address @yourdomain). To stop receiving these messages, you could delete your catch-all rule so that you will no longer receive mail addressed to non-existent addresses at @yourdomain. Or, if you want to keep your catch-all rule, but just want to disable incoming email for one particular address, you can create a new forwarding rule in your Control Panel for the unwanted address and set it to forward to

If the forged email address is one that is important to you, that you need to receive email at, there is nothing that can be done short of using your Spam Filter in your Control Panel to blacklist the FROM addresses in the undeliverable notices, such as: postmaster@* and then setting the Spam Filter to either delete spam automatically or automatically move it into another folder. However, this is not recommended because messages FROM those type of addresses are often important and most of the time you will want to receive them.

Last update: 2011-03-16 15:04
Author: FAQ Admin
Revision: 1.3

Digg it! Share on Facebook Print this record Send FAQ to a friend Show this as PDF file
Please rate this FAQ:

Average rating: 4 (10 Votes)

completely useless 1 2 3 4 5 most valuable

You can comment this FAQ

Comment of Anonymous:
There is nothing even Kevin Mitnick can do about this.

Neither the FROM nor TO addresses in emails have anything to do with who an email is from or who it's to. Anyone, or any virus, can put whatever they want in those fields before sending out any email. That's just how email is.

In the case of viruses, there are millions of people who have the latest virus that is causing this. It does no good to track down any of those people and ask them to fix their computers. They either don't know how to fix their computers or their computers are running unattended.

In the case of people who do this intentionally, there is no point in trying to find them either because they usually launch their mails from Korea or other places that won't cooperate with any investigations. Besides, if you get them shut down at one ISP, they start up again in 15 minutes blasting out the same thing from a new ISP.

You can waste a lot more of your time trying to figure it out than it takes the perpetrator to maintain the attack.

That is why it is a waste of time to look at the headers or to try to figure anything out about the mails. They are just a nuisance and should be deleted.
Added at: 2004-02-01 20:37

Comment of Anonymous:
I respectfully disagree.

In the case of viruses, I have had good luck tracking down the owners of the IP addresses in the headers, and letting their admin of record know they have an infected user. We now get very, very few viral email, and I can immediately notice even numerically small spikes. I would say that we get viral email from less than half a dozen infected systems, and fewer viral email in an average week than we have users.

In addition to being able to immediately tell when we started getting fresh spew, I reason that once someone knows they have gotten infected, they can be more careful in the future. Can I prove that? No. But it stands to reason that if they don't find out, they likely won't be more careful later. We had one sender who was infected with no less than three different viruses, until their ISP finally contacted them. I want to avoid seeing that.

I also figure that we are not the only recipients in their address book. By taking just the few minutes to do this, I'm doing others a favor as well.

I just wish virus fighting was as mainstream as fighting spam. But there's nothing like spamcop for trying to eliminate infected users. But there could be, and should be.

Aren't you glad your fire department doesn't take the laissez faire approach to fires? ;-)
Added at: 2006-07-13 10:01