Getting spam from yourself? We all do. I’ll look at why it happens; what, if anything, you can do about it; and something unlikely but important to check.
I get email from:
where “email@example.com” is someone I don’t know, but “firstname.lastname@example.org” is, in fact, my email address. It as if I was getting spam from myself, but I did not send it.
How do I stop these emails from coming into my box? It’s usually for drugs or financial services that I don’t need or would never be interested in. How can they use my own email? I can’t block them as it says it is illegal to block my own email.
What you’re seeing is called “spoofing” (or more correctly “From: spoofing”): sending email that appears as if it’s coming From: someone that it isn’t. Spammers hide where their emails originate, and do so very effectively. Spoofing is used in just about every bit of spam you see today.
And it’s actually quite easy.
The From: address is meaningless on spam – it tells you absolutely nothing. There’s nothing in email protocol that actually requires or checks that what appears on the From: line of a message actually has anything to do with the message’s true origin. To discover the true origin requires more detailed analysis of the email headers, and even then, at best you might be able to get the IP address of the computer sending the email. And as I’ve discussed ad nauseam, the IP address is pretty much useless to you and me.
The fact that you’re seeing your email address used in the From: field shouldn’t alarm you. It might be annoying, but there’s no need to worry about it. You’re already on spammer’s lists to get spam, and they’re using that same list, or variations of it, to select which addresses to use when spoofing. Currently, there is no effective way to stop them.
Why you’re getting it
When you see your own address spoofed in the From: field of spam, it’s happening for one of two reasons:
They’re trying to spam you, and know that it’s unlikely you’ll block email from yourself. In fact, as you’ve seen, it’s not even always possible – but I’d consider it a bad idea, even if you could do it. It would prevent certain types of legitimate email from reaching you.
They’re trying to spam someone else, and what you’re seeing is a bounce message indicating that the original spam was rejected by its intended recipient. Since the email looks like it came From: you, you get the bounce message.
Now, as to why the “email@example.com <firstname.lastname@example.org>” where the two email addresses don’t match, or the more common “Name <email@example.com>”, where the name is obviously unrelated to the email address, I can only speculate. My guess is that it’s either intentional confusion to boost the chance that recipients will open the email, or a side effect of the tools spammers use that may not be able to put together a proper name/email address pair.
What to do about it
First, realize there’s nothing you can do to prevent From: spoofing. Spammers can put whatever they like in the From: line. If they want to put your email address there, they can.
Eventually, your email address is going to show up in the From: field of spam you had nothing to do with. In fact, as you’ve seen, it probably already has. The good news is that most automated spam filters realize the uselessness of the From: line, and probably won’t start blocking the email you send because some spammer happens to be using your address. Naturally, some people might not realize this, and they could try blocking you, but given that spammers spam everyone, the chances that it’s someone you know or care about is actually pretty slim.
The only thing you can do is to keep doing whatever it is you do to control spam. Typically that means marking spam as spam and moving on with your life.
The one thing to watch for
I want to be clear, questioner: since you’re able to log in to your own account to get your mail, what I’m about to caution you about is not very likely.
But it is possible.
Sometimes you’ll get spam from yourself if your account has been hacked. Now, like I said, you are able to log in to your account, so if your account is hacked, the hackers didn’t change the password. That happens, but it’s unusual. Normally a hacked account means you can’t log in to begin with.
Nonetheless, it’s something to be aware of, and perhaps check. For example, check the Sent Mail folder to see if there are messages you didn’t send.