Hey, Are You Spamming In Your Sleep?

Are You an Accidental Spammer?

For some reason, that headline triggered a memory from my youth. As a teen, I used to devour every monthly issue of Reader's Digest. At the bottom of the cover page, there was a line that said "Have You an Amusing Anecdote?". If you knew what an anecdote was, and you had an amusing one to share, they'd pay you up to $200 if it was selected to be published. Nowadays, people share jokes for free, via endlessly forwarded emails, which sometimes end up in the Spam Folder. Pardon my digression, at least my slip isn't showing.

Are you getting replies to email messages that you never sent? Friends complaining that you're spamming them? Are you receiving "bounce" messages from email servers about messages to non-existent accounts that you don't recognize? Do you find messages in your junk-mail folder sent from yourself? If any of these things happens to you, you may be an unwitting spammer.

First, your email account may NOT have been hacked. Often, spammers "spoof" their victims by inserting a random email address in the "From" field of their outbound spam. Spammers use mass emailing software that can insert any desired email address as the sender, and pretend to be "you" even if they're half a world away. Modern email spoofing techniques are leveraging advanced AI to craft realistic-looking messages, including personalized phishing attempts that appear more legitimate. This includes the use of generative AI for "deepfake" emails that match your communication style.

Bounced messages that you don't recall sending are probably such spoofs. These spammers are misappropriating your email address, but they don't have access to your email inbox or contacts. They may have gotten your email address from one of those massive data breaches that happen regularly. Or you might have handed it over, by entering a contest, posting it on a message board, or playing a game on Facebook. (Visit Have I Been Pwned? to see if your email address was compromised in a data breach.)

Okay, let's assume the unwanted email is a forgery, and your inbox is secure. Still, that's no reason to relax. You may find yourself on a blacklist if hundreds or thousands of people receive annoying spam ostensibly from your email address. Google's GMail is one email service provider that authenticates all the mail that is really sent from your address, so that receiving email servers won't block all mail from your address. Spoofing is a form of identity theft, and it should be reported as such to your email service provider. Your email service provider may be able to implement protections for your email address.

If your email address is blacklisted by another email service or internet service provider, you may not be able to send messages to people who use that provider. For example, you might be a Comcast user, and your emails to Mom (who uses Gmail) are being returned with messages like this:

Usually, you can contact the administrators and explain that your address was spoofed. In many cases, they will unblock you. If you can't find an appropriate link in the bounce message or on their website, send an email to "postmaster" at that domain.

Reporting Unwanted Emails

Here are my recommended steps and resources for reporting spam, phishing and other unwanted messages:

Gmail: Report spam or phishing directly in Gmail by using the "three dots" icon in the top right, then click the "Report Spam" or “Report phishing” option, which sends samples to Google’s anti-abuse teams and partners for filter improvement.

Microsoft Outlook/Office 365: Click the Report button (usually near the top toolbar). From the dropdown, choose "Report junk" to mark as spam or "Report phishing" for suspected phishing emails. Reporting as junk moves the message to your Junk Email folder and adds the sender to your Blocked Senders list. Reporting as phishing deletes the message directly. This sends a copy of the reported message to Microsoft, helping improve spam and phishing filters for all users.

Yahoo & Apple Mail: Similar reporting features are available under “Mark as spam/phishing,” and both companies use submissions to strengthen collaborative spam detection networks.

The Anti-Phishing Working Group (APWG): You can also forward phishing emails to reportphishing@apwg.org. The APWG is a major clearinghouse that shares data with global security partners and law enforcement.

Federal Trade Commission (FTC): Report phishing and scams at ReportFraud.ftc.gov, which aggregates consumer scams for investigation and public alerts.

FBI’s Internet Crime Complaint Center (IC3): File cybercrime complaints (including phishing, vishing, and smishing) at ic3.gov, especially if there is financial loss or sensitive data exposure.

Text Reporting (US/UK): Forward suspicious SMS messages to 7726 (SPAM on most keypads), which routes reports to cellular providers and anti-fraud teams.

Have You Been Hacked?

If your contacts are getting spam from you, then it's possible your email account may have been hacked. The first thing to do is attempt to log in to your email account. Spammers may change a hacked account's password, so if you cannot get into your own account that is a good sign that you have been hacked. You will have to go through the "forgot password" re-authentication process for your email provider, to establish your ownership of the account and regain access.

If you regain control of your email account, the first thing you should do is change all of the user-authentication information. Create a new (hopefully stronger) password, and if available, change the answers to your challenge questions. Even better, turn on two-factor authentication for your account. Did you know that when two-factor authentication is turned on, a third party cannot login to your account, even if they have your password?

For help creating a secure password, or to learn about two-factor authentication, see my related articles How Hackable is Your Password? and [DIGITAL LOCKDOWN] Authenticator Apps Protect Your Accounts.

If you cannot regain access to your email account, then you will have to abandon it. Create a new email account and start all over again. This is why you should make a backup copy of your contacts (and your emails) on a regular basis. Of course, in either case you will also have to explain to all of your contacts that the spam did not come from you. (And if they did buy that cheap Rolex, it's probably fake.)

If you suspect foul play, I recommend that you check your account settings to see if there are any rules or filters in place that could automatically forward or reply to emails. In addition, check for a way to review recent login attempts and account activity. If you use Gmail, look for the "Last account activity" message on the bottom right of your inbox, and click the Details link there. For Microsoft accounts, use the Recent activity page.

It's also possible that your email account was hijacked by an evil spamming robot (malware) on your computer. Whenever you suspect that your email account has been compromised, you should run a full malware scan using your favorite anti-virus tool.

Google (Gmail), Microsoft (Outlook / Office 365), ProtonMail, and other email providers are offering security dashboards showing recent login locations, device types, and automated alerts for suspicious access. Take advantage of these options to monitor your account for suspicious activity.

Do you have something to add to this topic? Post your comment or question below...