Yes, it's Yet Another Posting About Spam.
After my previous two postings this week, I promised myself "¡No más!" Nobody wants to read this stuff. Let me instead try to write something that actually hasn't been said a thousand times before.
But this morning when booting up my machine, instead of the hundred-and-something emails I normally expect, I got several thousand. Here's why:
Almost all spam is intended to persuade the recipient to visit a web site. For that reason, the From and (optionally) Return-Path headers are really irrelevant. To make the email appear more authentic, however, often these headers contain email address fabricated from an existing domain name, for example, MisterMxyzptlk@charlespetzold.com. That appears to be a valid email address because the domain name exists, but in reality the only person who works here is me, and that's not my name.
At about 1:45 this morning, somebody sent out a bunch of spam with From and Return-Path headers containing email addresses based on my domain name. At 1:46 AM I began receiving failure notices for unfindable To addresses, later mixed in with spam-blocker bounces and auto-responders. At 1:48 AM my ever-diligent ISP (RoadRunner) sent me a "You are Over Quota" email.
So, the thousands of emails I received while I was sleeping weren't pieces of spam to me; they were all bounces in response to spam that appeared to be from me. Many more thousands, I'm sure, got through, and this morning people all over the world are deleting emails that appear to be from someone at charlespetzold.com. What can I do about it? Not a damn thing.
As the Wikipedia entry on email authentication reminds us, SMTP "was designed in an era when users of the Internet were mostly honest techies who expected others to be equally honest." That is no longer the case, of course, and it hasn't been for many years. It is simply unfathomable that we still have a system where anybody can send out an email with From and Return-Path headers that do not identify the actual sender.