I got an unpleasant surprise today – an avalanche of spam in 90 minutes. And technically, I was the one sending it. Or at least that’s what the mailservers thought.
Our current email system was created in a time when there was a lot of trust — if you sent an email saying you were Rocky Agrawal, the other computers assumed you were. They still do. You can be anyone @ mydomain, just by claiming that you are. And that’s exactly what spammers are doing. They’re sending messages claiming to be from Paula547@ Tarnowski@ etc.
Those messages made their way across the Internet to mailboxes that have been deleted, never existed, or were full. Beginning at 2:24, my mailbox filled with a torrent of bounced mail notices, vacation replies and mailbox full notices.
And there’s pretty much nothing I can do about it.
There is at least one initiative that would help end this scourge, but it has seen little adoption. The Sender Policy Framework allows domain owners to specify which mail servers are authorized to send messages for a given domain. I have my SPF record set to allow only gmail.com to send messages on my behalf. If a mail server checks the incoming message against the SPF record, it knows that the message is forged. It should also know not to respond to the message. Unfortunately, many mail servers don’t bother to do this check. A few did the check and then sent me messages saying that the message (which I didn’t send) failed the SPF check. Gee, thanks.