Software Consulting Tornado Icon Software Consulting Tornado Icon

It Wasn't Me!

I don't send spam, vermin (viruses, worms, trojan horses), or any other forms of UBE or UCE, sometimes called UBM or UCM (substitute "Mail" for "Email" in the acronyms). But you might think I send such mail if you innocently trust information in such email you might receive.

Since early 2003, a deluge of UBE has been delivered to a huge number of recipients with an envelope sender, "From:", or "Reply-to:" address having a domain name of, which is the domain name of this web site.

In fact, all spam and vermin appearing to come from this domain are forgeries; they actually come from somewhere and someone else not under my control. Sometimes these are called "joe jobs"; in some cases, they are referred to as "phishing scams", especially when the message contains forged URLs or other contact information that might convince an unsuspecting recipient to provide personal information or other valuables to the actual originator rather than to the forged originator.

These forgeries are akin to notes or letters written by A, addressed and sent to B, but with return addresses (or "From:" headers) saying they were written and/or sent by C, yet without C's permission. They might appear to use C's letterhead, include C's contact information, or even include contact information that appears to be C's but in fact belongs to an agent for whoever is doing the forgery.

(For example, if C's address is widely known to be "P.O. Box 1972, Lincoln, NE", a clever forger might obtain a similar box number and advertise that, in the hopes that unsuspecting recipients deliver valuables to, for examples, "P.O. Box 1792, Lincoln, NE" or "P.O. Box 1972, Lincoln, ND".)

In such cases, C has no ability (even if C has the knowledge) to prevent A from sending such communications; the onus is on recipients, such as B, to not assume that C sent the message, regardless of the claim on the message itself or made by A. (This is true regardless of whether A claims to merely be passing along a message from C as a trusted intermediary, or convinces an intermediary that B actually does trust to relay the message to B as if it originally came from C, which is easy to do if that trusted intermediary does not authenticate the return address.)

C cannot and should not be in any way held responsible for the fact that such forgeries are occurring, unless C also agrees to accept the authority to take action to stop it. (An example of such authority to stop forgery is that which is granted publishers of monetary currency, such as the US Government.)

For now, the only such authority I have accepted is to publish SPF information for my domains, although few SMTP relays or servers actually use that information to reject forged email (which is probably best, as I don't recommend SPF for that purpose).

With Internet mail, the envelope sender (usually shown as "Return-Path:"), "From:", and "Reply-To:" addresses, contained within the full headers of spam or vermin email, are rarely authenticated before email reaches your mailbox. Proposals (such as SPF and DomainKeys) have been made to address this, and have been partially implemented, but they are imperfect, and risk making Internet mail less flexible, less useful, and less reliable.

False return addresses are forged sometimes to conceal the identity of the actual senders, always to avoid the huge number of delivery-failure reports and abuse complaints that would ordinarily result from sending out vast quantities of UBE. So those reports and complaints are delivered to, or made about, whoever actually "owns" the forged addresses — such as myself in the cases of these "joe jobs" — despite their having not been involved in the forgeries being circulated in the first place.

(You might wonder why people advertising a product for you to buy would nevertheless forge their return addresses, when potential customers might use them to request further information on, or order, a product. Indeed, many spammers need you to be able to buy a product from them, but not all of them do — some are merely proselytizing a point of view — and vermin authors usually have no such need for their vermin to provide useful return addresses. Meanwhile, the spammers who want potential customers to contact them usually prefer to provide contact information via the spam itself, such as URLs or phone numbers, which they assume will be used mostly by people genuinely interested in their products.)

If you are interested in tracking the perpetrator of any spam or vermin you have received, an Internet search engine can help you find a number of resources with information about finding out who has really sent you the spam or vermin.

There is no need to tell me you received any such forgeries; I get enough email telling me about this already!


Copyright (C) 2004, 2006 James Craig Burley, Software Craftsperson
Last modified on 2007-07-10.