It may have happened to you already: You get an email from a colleague or close friend asking why you’re suddenly spamming them. They seem upset (or at least confused); “did I do something to make you mad?” You attempt to assure them that you in-fact did not send them the offending email, but they are adamant. “…The FROM: address is yours!” Your gut sinks. You know you didn’t purposefully send them spam, so someone must have hacked into your mailbox and destroyed your electronic life, right?
The fact is, there are still lots of email servers on the internet that will blindly relay mail without thinking twice about its source or destination. Some of this is holdover from the early days of the internet when information security was based on the honor system, but most of it is improper security configuration. Without extra steps taken for security, many out-of-the box mail systems are easily exploited by spammers.
At Georgetown College, our mail systems are tightly secured both internally and by our email provider, Microsoft Office 365 for Education. In order for mail to be sent at GC, it has to be verified as originating from a valid GC email address or server. If this verification fails, the mail is simply not delivered.
Unsecured mail servers (often known as “open relays”) do not check the validity of the sender or recipient. They simply take the sender’s word for it and pass along the message, just happy to be in the game. Spammers exploit this vulnerability by supplying forged or phony “FROM:” email addresses to avoid detection.
How the spammers devise their “cover” email varies. Some are created randomly; if you’ve ever received an email from an address like “email@example.com”, that’s probably how it was created. Some are stolen from the address books of compromised mailboxes or computers. The more sophisticated spammers, however, like to “scrape” valid email addresses from websites. They have special software that scans the web for websites looking for pages that contain email addresses. They then store these email addresses for future use in their spamming efforts. Because of this, you see many websites opting not to disclose email addresses at all on public pages.
In summary, just because your email address has somehow wound up in some spammer’s database doesn’t necessarily mean that your computer or mailbox has been compromised. Securing your mailbox with complex passwordsand changing your password frequently goes a long way to prevent hackers from gaining access to your mail.
If however, you’ve read this and still suspect that your mailbox may be compromised, please do not hesitate to contact the ITS helpdesk!