While some Unsolicited Email senders take credit for their own activity, there have been a number of occasions when Spam has been sent by unscrupulous individuals who have impersonated our company. How can this happen?

This can happen because Internet Email is handled much in the same way U.S. postal mail is processed - with no requirement for identification when you send mail.

As with the U.S. postal system, Internet Email relies on post offices (servers) that collect, hold, and distribute Email sent by your Email application (client). These Email post office servers are provided by Internet Service Providers (ISP), and other computer geeks like us, and are active all the time on their computers waiting for you to drop off your  mail 24 hours a day!

What Internet mail post office server are you using? 

Look in your mail application's preferences for an "SMTP" server. If it is not configured, you are using the same server as you use to pick up mail, known as "POP" or "IMAP" (the part of your email address after the "@" sign). Some proprietary systems, like AOL, may hide the post office name(s) from you - but it still exists (for example, one random AOL message "received" header lists "rly-yc01.mail.aol.com", an AOL mail server).

Email is anonymous!

Individuals give mail to a post office, and the post office delivers to the recipient. As with the U.S. post office, essentially anyone can send mail via any post office, using whatever content and return address they want (if they know how). As a result, it is possible for unscrupulous individuals to send fraudulent mail which is hard to track down.

Much the same as with a Post Office Box, users are required to provide a key to pick up their electronic mail (computers use "password" keys). However, the password key is not required to send Email, any more than senders in the U.S. postal system are.

This basic "no password required to send mail" weakness of the Email "Simple Mail Transfer Protocol (SMTP)" sending language, used to transfer your mail from your Email application client to the Internet Email post office servers, is at the heart of the fraudulent mail problem.

Of course, it is illegal to send fraudulent mail using the U.S. postal system...but how do you track and prosecute the criminals? The same problems exist in the computer world. Some Internet Service Providers have implemented creative investigate techniques, such as this example, but these may be too intrusive.

If you consider the direct and accurate analogy, it should be apparent how individuals can send fraudulent Email, exactly the same as the Unibomber sent dangerous packages.

How Can You Trace The Spammer?

Just like U.S. postal mail "stamp", there is almost always some information contained in an Email message header that indicates which post office it was dropped at (Received). But, the original "no key required to send" problem means that it is almost impossible to verify who "dropped it" in the mailbox ("From" and "Reply-To"). And, since most post office systems are used by many individuals, the possibility of catching these criminals is reduced to the same level as the U.S. post office. On the other hand, there are sometimes some creative ways SOME post office providers can trace mail (perhaps at the expense of all our privacy), so you might let them know so that they can investigate. Here is an example.

The bottom line is that the only real way to trace spammers is via the content of the message - what they sell. This involves real world investigative efforts.  So, the whole process is reduced to the same real-world expensive investigative solutions we are already used to, followed by expensive litigation. An automatic "electronic" solution does not cut it, and its more likely to hurt innocent parties.

What do some Internet Service Providers (ISP) do?

One helpful possibility is that some creative rules can be applied by computer post office systems that help reduce "relay" of fraudulent mail (despite not having password authentication). These include allowing senders to use only specified reply domains (like "@aol.com"), or allowing only senders from specific areas of the internet.

Other ISPs think that they know which mail is "junk" mail, and thus apply filters to stop this mail from getting through. I certainly hope you agree with their definition of what constitutes junk mail. Microsoft was legitimately prosecuted for mistaking some mail as junk in this case.

Unfortunately, even when one applies the maximum set of creative rules at their own post office, one cannot stop individuals from users from sending forged mail from other post offices. Moreover, employing the maximum set of creative rules is impractical (to restrictive) for most post offices, and thus the lack of "password" protection means mail can be always be impersonated somewhere. So, the best hope is to encourage all post office services to employ as many "relay" reduction rules as possible, while remembering that the real crime is perpetrated by the actual mail sender.

What do some users do?

Some people use automatic "filters" to pick out suspected "junk mail" so that they don't have to read it. This is just like asking the mail man not to deliver any "junk mail" to your house...I hope you and the mailman agree on what constitutes "junk mail". Microsoft was legitimately prosecuted for mistaking some mail as junk using Internet Explorer 5.0 email filters in this case.

Most mail reading programs provide "filters" that you can set up, and many mail providers have ways to set up your mail so that "bad" mail is automatically filtered. Should you be willing to accept that fact that you might not get legitimate mail should a filter mis-fire, then you might consider this technique. 

Catch-22, the double edged sword!

The problem with the solutions listed above is that these rules can also restrict legitimate mail. That fact is, a happy medium has to be struck between restriction and protection. On the one hand you might apply too many restrictions and thus damage legitimate email (as Microsoft was legitimately prosecuted for in this case), while on the other you may successfully local fraudulent mail senders and prosecute them (as AOL legitimately did in this case). A careful balance it required.

So take care in your actions to fight spam.

If you don't like "filter" methods, what can be done?

At Jump Development Group we apply as many rules as possible staying within guidelines required by our legitimate post office users. We suggest that if you require further protection, you should examine individual mail headers for "bad" mail that you receive and carefully investigate (as AOL legitimately did in this case).

The bottom line here is that if you want to find out where mail came from, the only legitimate information to examine is the "Received:" line(s) in the mail header. In doing so, you must be careful to examine only the "real" header; beware that individuals could type fraudulent "Received:" line(s) into their message to confuse you. AOL does a good job of describing this issue on their page at here (alternate).

Because anyone can send mail without needing to prove who they are, technologically savvy individuals (it doesn't require much) can send mail that appears to come "From" any other individual. That means us...or you. Then, we get all the replies: undeliverable messages, and responses from casual recipients.

Considering all this information, please take care when evaluating the source of "Spam" Email you may get, and take care when acting. At Jump Development Group, we have been impersonated a number of times, and improperly berated by spam recipients. We do not endorse the vigilantly techniques employed by some individuals to fight spam; but if you are going to get involved in these, then please take care to consider the issues of fraudulence discussed here, and avoid harming innocent parties.