Home Forums Networks & Cross-Platform Networking Spyware Question

I have received a couple of emails, using the names/email addresses of different people I know, that did not come from the those people. I am assuming it's due to the kind of spyware that comes imbedded in "pass on" emails that spammers send around and which harvest email lists from the address books of recipients.

In both cases I recognized that the emails were likely fake (they used salutations my friends would not have used) and I advised the people whose emails were being used.

A question has arisen. Do these people have further concerns such as this spyware looking at anything else, something more sensitive (e.g. passwords)? Do they actually leave anything on the drives or do they just "pass by" imbedded in the "pass on" emails?

I was just talking with someone locally about this only last week.

When a spammer sends, it's to a big list. Due to the rarity of open relays (due to spammer abuse!) bulk emailers deliver (SMTP) directly to the destination's mailserver. To make things efficient, they make one connection and will try to send as much email as possible in one shot. So one message to 30 people for example. They all need to be addresses local to that server.

So when the spambot connects, it sends one message CCd to everyone @thatdomaim in one message.

Most mailservers require something in the FROM field. Since most spam contain either viruses or clickable links, they're not intended to be replied to, so anything in FROM that's acceptable to the mailserver will do. To avoid filters, they sometimes pick one of the people in the TO/CC. So the email will appear at first glance to have been sent by a local user.

And anyone that replies, will be replying to them. BUT if any of the recipients they are CC'ing to do not exist, the mailserver will display an error for those addresses and the message will only be sent to valid local accounts. This message is sent during the connection, before the body of the message is sent to the relay. The spambot software ignores the bounce errors, sends the body, and disconnects, and no additional traffic occurs as a result.

If the spammer is NOT sending directly, things can get ugly. If they have access to an open or abusable/paid relay, they will dump mail into there to be forwarded all over. The relay will contact destination mailservers, and invalid recipients will "bounce" as above, but this time they're bouncing to the relay. And the relay will then forward the bounce message to the sender, since the sender (the spambot actually) is no longer connected. Which was the address the spammer put in the FROM field. So that unlucky person gets the bounces. (if it's a valid address)

This is called "backscatter spam". It can happen in several degrees. If the spambot changes up the FROM for every send batch (~50 destinations), you might not get any, or maybe a couple. If it uses the same address for EVERY send in that batch, the FROM may get quite a bit (possibly hundreds) of bounces. In the worst cases, the software remembers the FROM and does not mix it up, and the FROM may find themselves getting nailed with wave upon wave of backscatter, possibly for months. There isn't any way to prevent it short of changing your email address, or making sure the spammers don't get it to begin with. If you start receiving it, all you can do is set up rules to auto delete it.

Backscatter spam can also have a delayed effect of 3-7 days. During this time the relay has queued up emails that could not be delivered because the recipient's mailserver was down. After many attempts, they time out and a bounce is sent to the FROM address to indicate non delivery due to timeout.

I've seen a ton of spam lately with fake "from" fields of people I know. Like you, I assumed that friends of mine were getting infected with malware that lifted their contact lists.

Then I noticed that the From: emails were sometimes people I knew but never sent email to.

So I started looking more, and realized that the From: addresses were all from Facebook friends. Rather than spyware or malware, it seems that the spam lists are being harvested from public email addresses of public Facebook friends.

Thanks for a fulsome reply...it took a couple of reads but I think I "get it" now.


I assume that "as much mail as possible" might vary from ISP to ISP. I sometimes have to send out emails to several hundred people in an association and find that I have to do it in small manageable chunks because the ISPs simply reject giant mailings.

Ouch. At least mine have been limited to just a few, so I guess I don't have too much to complain about.


That would apply to a couple I received....they're not "never send" but certainly would fit under the heading of "very rarely".

And back to my original concern, are these spambots that collect addresses just passing through, or are they capable of looking at more sensitive information?

Most small and medium sized organizations today use commercial mailing services such as Constant Contact to handle their batch mailings for that very reason. As a side benefit using these commercial services avoids the annoyance of your email or URL being identified as a potential spammer and blacklisted by the ISPs.

Thanks for the tip. I'll check it out.

Just passing through. The spam messages aren't harvesting your contact list, if that's what you're worried about.

A branch of this thread discussing the word "fulsome" has been detached and moved to the Lounge so the discussion can continue there.

See A Fulsome Reply