FAQ | Frequently Asked Questions

brought to you by your friendly
UC Davis Geology Department Computing Support Team

Q: Why does spam appear to have come from my e-mail address?
A: First some background then a solution.
   On Dec 29, 2008, at 10:20 AM, A. User wrote:

   When I move my cursor over the email address the spam comes from -- 
   it shows my email address, not some other spammers address.

   Why is this?

Because that is what the spammer filled in as the FROM address.

Imagine I pick up a paper envelope. I write your name and address in the usual recipient address location and I also write your name and address in the sender location. I then stamp the envelope and drop it in the mail.

When you receive the envelope from whom does it appear to have come?

How do you know where the envelope really came from?

If there is a legible postmark, you could try interpreting that.

With e-mail, the Received: headers serve as postmarks.

Since most of the time most e-mail recipients are not interested in most of the e-mail headers, they are usually hidden from plain view and you need to click a button somewhere to “reveal” the full headers.

Displaying Full Headers

  If using Apple Mail:     View → Message → Long Headers
    (or press command-shift-H )

  If using Thunderbird:     View → Headers → All

Now look at the Received: headers, they are in geologic order: oldest at the bottom, youngest at the top.
(You folks should be good at this by now.)

You may see something like this (varies from message to message):

Received: from mailbox.geology.ucdavis.edu ([127.0.0.1]) by localhost (mailbox.geology.ucdavis.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10224-02 for ; Thu, 24 Jul 2008 05:45:04 -0700 (PDT)
Received: from dog.cia.com (dog.cybersurf.net [209.197.145.189]) by mailbox.geology.ucdavis.edu (Postfix) with ESMTP id EA9277198E20A for ; Thu, 24 Jul 2008 05:45:03 -0700 (PDT)
Received: from reef.cybersurf.com ([209.197.145.198]) by dog.cia.com with esmtp (Exim 4.50) id 1KM0BH-0006hQ-7S; Thu, 24 Jul 2008 06:44:27 -0600
Received: from apache by reef.cybersurf.com with local (Exim 4.44) id 1KM0BG-0002No-Ub; Thu, 24 Jul 2008 06:44:26 -0600
Received: from 196-207-0-227.netcomng.com (196-207-0-227.netcomng.com [196.207.0.227]) by webmail.3web.com (IMP) with HTTP for ; Thu, 24 Jul 2008 06:44:26 -0600

So, starting with the bottom-most Received: header, the message started at a place called 196-207-0-227.netcomng.com, from there it was routed to reef.cybersurf.com, then to dog.cia.com, and on to mailbox.geology.ucdavis.edu.

At this point you could try sending a message to the people who run the netcomng.com network. You could try postmaster@netcomng.com or abuse@netcomng.com describing the nature of the message, the origin of the message, and requesting that they put a stop to this kind of activity.

The Federal Trade Commission maintains a website where you can report unwanted or deceptive messages at:

   http://www.ftc.gov/spam/

Follow the instructions in the Report Spam section of that web page.