Today, a colleague wrote to warn me that I might start receiving suspicious e-mails that were nominally from her, but were in fact from a spammer. This happened to me a couple years back, so I figure it's worthwhile providing an explanation of what's going on and what (little) you can do about it.
When this happens, it's logical to fear that your computer has been hacked or has contracted a virus or other forms of malware. That's certainly possible, particularly for Windows computers (still the primary target for malware authors), but if you're running up to date antivirus and antimalware software and pay attention to what you're doing online, it's not the most likely cause of this problem. (If you're not running current software, shame on you: download some at once and scan your computer, just in case something crept in while you were napping.)
The main cause of this spam coming from your computer is that it's trivially easy for spammers to obtain someone's name from their Web site or from e-mail discussion groups and LinkedIn etc. For that matter, most of us already have our names in dozens of listings of stolen e-mail addresses. Thus, it's only a matter of time before your name comes up in the "uh oh" lottery. Borrowing your name and address from one of these lists and using it to obscure the real source of the spam e-mail is called "spoofing", and it's common and distressing. Someone did that to me several years ago, and it took about 1 week (with hundreds of error messages per day flooding my In box) before the problem finally went away.
Unfortunately, there are few things you can do about this:
First, notify all your friends and colleagues to ensure that they don't see your name, trust the source, and click on a skeevy link or open a skeevy attached file. This is still the most common way people get their computers infected
Next, notify your service provider about what happened. If you've already started receiving replies to these messages you never sent, ask about how to send copies to your service provider's abuse department so they can try to track down the source. Also warn them to expect a wave of complaints from people who think you're the one who's spamming them and to expect waves of bounced e-mail from all the addresses in the spammer's distribution list that no longer exist. These error messages will all be returned to your address.
Last but not least, wait patiently for the service providers around the world to spot the flood of spam and track it back to its origins so they can block the mail at its source. This will eventually happen.
Although it's tempting to change your e-mail address, that's both hard to do well and ineffective: all of your business cards that have migrated around the world become obsolete, all your contact information on Web pages becomes obsolete... it's a nightmare to try to update everyone who needs to know and everywhere your name has been stored for good reasons in someone's database. Worse yet, it won't stop the problem from recurring if you're unlucky. You'll probably find it wise to get a second e-mail address if you don't already have one, since that will let you reach people whose service provider blacklists your primary address as a source of spam. Until things return to normal, be sure to send a followup from your second address if you don't get a reply within a reasonable delay to any message sent from your first address. Many people will consciously or unconsciously (i.e., based on software settings or their employer's e-mail spam filter) block your original address. At some point, you may end up needing to keep a separate list of people who can't be contacted from your first address because their employer or service provider can't be bothered adding your name to a whitelist of verified names.
Please feel free to share this explanation with your friends and colleagues.
In the meantime, if this has happened or is happening to you, my sympathies! The situation is beyond frustrating, but I'm living evidence that you can get through it with sanity and reputation largely intact.
When this happens, it's logical to fear that your computer has been hacked or has contracted a virus or other forms of malware. That's certainly possible, particularly for Windows computers (still the primary target for malware authors), but if you're running up to date antivirus and antimalware software and pay attention to what you're doing online, it's not the most likely cause of this problem. (If you're not running current software, shame on you: download some at once and scan your computer, just in case something crept in while you were napping.)
The main cause of this spam coming from your computer is that it's trivially easy for spammers to obtain someone's name from their Web site or from e-mail discussion groups and LinkedIn etc. For that matter, most of us already have our names in dozens of listings of stolen e-mail addresses. Thus, it's only a matter of time before your name comes up in the "uh oh" lottery. Borrowing your name and address from one of these lists and using it to obscure the real source of the spam e-mail is called "spoofing", and it's common and distressing. Someone did that to me several years ago, and it took about 1 week (with hundreds of error messages per day flooding my In box) before the problem finally went away.
Unfortunately, there are few things you can do about this:
Although it's tempting to change your e-mail address, that's both hard to do well and ineffective: all of your business cards that have migrated around the world become obsolete, all your contact information on Web pages becomes obsolete... it's a nightmare to try to update everyone who needs to know and everywhere your name has been stored for good reasons in someone's database. Worse yet, it won't stop the problem from recurring if you're unlucky. You'll probably find it wise to get a second e-mail address if you don't already have one, since that will let you reach people whose service provider blacklists your primary address as a source of spam. Until things return to normal, be sure to send a followup from your second address if you don't get a reply within a reasonable delay to any message sent from your first address. Many people will consciously or unconsciously (i.e., based on software settings or their employer's e-mail spam filter) block your original address. At some point, you may end up needing to keep a separate list of people who can't be contacted from your first address because their employer or service provider can't be bothered adding your name to a whitelist of verified names.
Please feel free to share this explanation with your friends and colleagues.
In the meantime, if this has happened or is happening to you, my sympathies! The situation is beyond frustrating, but I'm living evidence that you can get through it with sanity and reputation largely intact.