www.earthlink.net myEarthLink myVoice My Account Support webmail.earthlink.net

« How can I tell when a message has been opened?     |   Back to MAIN   |     FIXED - slowness sending and reporting spam »

Why do I get spam not addressed to me? - 11/26/06

From: Email Guy
Subject:       Why do I get spam not addressed to me?
Date: November 26, 2006 11:12 AM
Permalink   |   Post Comment

Users often report getting spam messages that don't appear to be addressed to them. The To: line of the message will contain some other address, and the user wonders why the message was delivered to them at all.

The reason is that the To: line and the CC: lines in email are not actually used to route or deliver messages at all. Those are only informational lines that are part of the body of the message, and are called "message headers". And because they have no effect on message delivery, the content of those lines can be anything the sender wants them to be. Well-behaved email software always puts the actual recipients in the To: and CC: lines. But spammers don't follow the rules and don't use email software that follows the rules.

The actual recipient of a message is determined by what are called "envelope headers" which are set during the sending transaction between the sender and the email server. The sending software instructs the email server on who to send the message to during the sending transaction. The envelope headers also contain the IP number of the machine sending the message, and other information about the route the message took to reach you.

To see the actual address a message was sent to, you have to use the View All Headers feature in Web Mail. Most other email software also allows you to view these headers. Look for a header called X-ELNK-Loop. That is a special header inserted by the EarthLink mail server to always show the actual address the message was sent to by the sender. This will be the mailbox that the message gets delivered to, and since our server puts that header in there, it can't be faked.

So when a message shows up in your mailbox it is always addressed to you, but spammers will often hide this fact using bogus message headers.


Posted by: Deah   |   November 30, 2006 5:27 PM    |   (1)

I'm wondering if it could be possible to have some filters on the suspected spam folder that would allow us to permanently screen out on the basis of content as well as on the basis of senders.

For example, for some bizarre reason I get a lot of spam from always different senders around buying medications online. If I could set a content filter rule to prevent those from even getting into my suspect spam folder, I'd be very happy.

Sometimes these emails come from domains that I don't want to block, such as yahoo or comcast or msn. To block these senders I have to block receiving from those domains in total, and I don't want to do that because I have legitimate email I do wish to receive from those domains.

A content filter would be extremely helpful, and I bet it would be well received by the EarthLink customers.

Posted by: Email Guy   |   November 30, 2006 6:04 PM    |   (2)

Deah - yes, a way for users to create their own general filters is in our plans for Web Mail. You'll be able to create filters that act on message content and take a specified action, which could be to delete, put in a special folder, etc.

Posted by: thisjustin   |   December 12, 2006 10:13 PM    |   (3)

I get TONS of spam addressed to my email address, but every one has the personal information, like name and street address, of a person in California. They often are from subscribed legitimate mailing lists(Corporate Newsletters). The other half are all about mortgages. All containing street address. Any thoughts? Should I have to visit every "Unsubscribe" site for mailing lists to which I did not subscribe?

Posted by: barry   |   December 18, 2006 2:20 PM    |   (4)

if the TO: & CC: fields are 'decoration', then how come we can't leave both those fields blank and just put all addresses in the BCC field? some email programs allow that. i'm trying to remember if older generations of webmail also allowed that.

if we leave the TO field blank, with an address in either the CC or BCC fields, we now get a popup dialog box: "Please enter a value for the 'To' field."

Posted by: barry   |   December 18, 2006 2:32 PM    |   (5)

thank you for the lesson about the mail being sent via the info in the Received line rather than from the TO field.

but another reason why email gets delivered without any address, or your address anyway, in the TO or CC fields, is that the sender, legitimate or spammer, also can use the BCC field.

many email rookies are not familiar with BCC, and they should be. mail to 2 or more people, especially if they all don't know each other, should have ALL addresses in the BCC field. your own address should be placed in to TO field. you'll get a copy of the email, as will everyone else you placed in the BCC field, but your recipients won't know who else you sent the mail to.

BCC = Blind Carbon Copy. EVERY email program has a BCC: field in its new email composition window, as well as in the Reply and Forward windows. If the BCC: field is not visible, you can make it visible by turning on this option somewhere in your software's Options or Preferences area. Having a visible BCC: field should be *standard*.

What if you want your recipients to know who else was sent a copy? Or you want a record of who you sent the mail to? Simply place in the BODY of the email message a BCC: line, like:

[BCC: Uncle Joe, Billy Bob, kermit, Sally Ann, Dubya, Eidolon, miss piggy]

...where you place their names but NOT their email addresses. Sometimes I place such a line at the top of my message when I want my readers to know right away who else received the email, and sometimes at the bottom of my message when it’s not so important, or it’s for my records. A shortcut would be to copy the list of email addresses you've placed in the BCC: field into the body of the email, then delete the domain name portion (@aol.com, @WINDnotOIL.com, @whitehouse.gov) of the address, leaving this:

[BCC: joefish23, BB775, greenkermy, SallyA, Dubya, buywind, iluvkermy]

Why hide everyone's email address from everyone? Several reasons.

1. People prefer to reveal their email address to selected individuals and organizations. These are people on YOUR buddy list or in YOUR address book, and are not intended to be seen by people your friend doesn't know.

2. Your recipients probably did not give you permission to send their address to complete strangers around the internet.

3. Emails get forwarded by recipients, usually without the original sender's knowledge. Especially jokes and dumb chain letters. (Remember, do not put in an email that which you do not want to see on Hard Copy!) Which means that an email you send with visible addresses in the TO: and CC: fields may get sent to tens of thousands of people for years to come. It's bad enough that your address as sender will be distributed to strangers. But so will your recipients' addresses--without their knowledge, permission or desire. And that's not nice.

Don't want your address forwarded around the world to strangers? Then don't forward chain letters or jokes. Or, at the very least, upon receipt of the joke, highlight, copy & paste the joke into a new email composition widow, and send out a fresh email, not a forward of a forward of a forward. At least you won't be forwarding your sender's address along with all the prior recipients' addresses. And who likes to plow through emails full of forwarded headers (To/From/Date/Subject) and footers? Sending a clean email looks better and is appreciated by your recipients, and is a lot smaller in size. The Golden Rule of Email: Send unto others that which you'd like sent unto yourself. Clean emails!

4. Why shouldn't thousands of strangers get your friends' email addresses? Because among those recipients of all those forwarded emails are spammers. Spammers harvest email addresses several ways, including from forwarded jokes & chain letter emails. The spammers know that the email addresses are good, as they were sent by friends to friends. Which means the addresses get placed in spammer email databases, and sold around the world to other spammers. (I get about 10 spams a DAY just in Russian!) Which means that you and your recipients are now going to get more & more spam. Not a good thing. Do not contribute your friends' addresses to spammers.

What if your email program requires an address in the TO: field, and won't let you send an email with a blank TO: field and all addresses in the BCC: field? Simple. Place your own address in the TO: field (NOT one of your recipient's!). Your recipients will get the mail with your address as both the sender and sole recipient. And you'll get a copy back since you sent it to yourself.

Posted by: Email Guy   |   December 18, 2006 3:09 PM    |   (6)

Barry - yes, the BCC line usually does exactly what I described. It is an instruction for your email software only, and that line does not go out with the message. It tells your software to send the message to that recipient without putting that recipient in the message headers (which are seen by all recipients). The software then tells the email server the recipient address, and their address will appear in the Recieved header when they get the message, but it will not be in any copy other recipients receive. Hence, Blind Carbon Copy.

Posted by: barry   |   December 18, 2006 3:34 PM    |   (7)

Deah wrote Nov 30, 2006 5:27 PM that he doesn't want to block a whole domain like yahoo. earthlink's spamBlocker allows us to block *specific* bad addresses (such as joespammer@yahoo.com) so we don't have to block a whole domain such as yahoo. problem is, we're limited to just 500 blocked addresses or domains. i used to block all spam addresses until that 500 limit was reached. now i'm more selective:

lots of bad spammers (and believe it or not spammers are classified as good and bad!) will use as the FROM address the legitimate email address of an unaware person.* and they rotate addresses around. every spam from that spammer uses a different, legit address, from an unsuspecting email account holder. so if you block every address from which spam is received you'll be wasting your time, as the spammer isn't likely to use that address again, and you'll be wasting one of those valuable 500 slots earthlink gives us.

(*spammers constantly buy domain names which they use for a spam campaign or 3, then stop using that domain and buy another. spammers even use made up FROM addresses--they create their own prefix (username) to known domain names. for example, if i buy a domain name, say abc123xyz.org, and don't even put it into service, or put up a 'hold' web page with no email address on the page, a spammer may create a FROM address of johnsmith@abc123xyz.org for a round of spam. if the domain name seller allows you to receive ANY email addressed to ANY username at abc123xyz.org, then any bad email address to which a spammer sends its spam will result in the bounced email being sent back to you at johnsmith@abc123xyz.org , eventho you've *not* created that email address! that scenario has happened to me several times for web addresses i bought. in addition, i often get bounced (returned to sender as undeliverable) spam 'returned' to me to/from my legitimate email addresses, such as my earthlink address. so i'm sure my address is on several spam blocking lists from people i never wrote to! and unfortunately so is your address.)

instead i now look at the body of the spam. if there's a domain in the text of the spam, either as part of a link to a website, or an email address to receive replies from the spam, and if that domain name in the text matches the domain name in the FROM line, then i will either add to my 500 that FROM address, or even the address within the body of the spam, or the whole domain name if it's unique and not a yahoo or comcast or aol-type domain. i find that most spams don't have matching domains between the FROM line and in their text. so i've cut down on the number of addresses i block, since most spam seems to come from single-use-only FROM email addresses.

note that i do this mostly for spam that slips by spamBlocker and lands in my Inbox. for spam sent to my Known Spam folder i'll only bother to open messages that have my name or city in the SUBJECT line. those spammers tend to use their own domain name (permanent or temporary for several rounds of spam), not those from someone else. those spammers use the same FROM address for several spams, before the spammer buys a fresh domain name. most of those spams have a web address in the text body (www.buymyscammeds.com) , and the domain in the link matches the FROM domain (abc123@buymyscammeds.com). since the domain is probably owned by the spammer (remember, this is Known Spam) i'll block the whole domain, rather than just the email address.

eventho i might block the whole domain of a Known Spammer (buymyscammeds.com), often earthlink still allows spam into the Known Spam folder from that blocked domain! thus it appears that spamBlocker first scans emails for known spam and sends those known spams to the Known Spam folder, THEN it scans the remaining email to match up addresses from my Blocked Sender list and DELETES those. it'd be nice (i.e., HERE'S A SUGGESTION) if spamBlocker would scan all incoming mail FIRST thru our blocked addresses list, THEN scan for its known spam. that way we'd get LESS spam in our Known Spam folder (& therefore less stored on your servers), as spamBlocker would first delete mail from blocked addresses we've identified of Known Spam!

how about it Email Guy? can spamBlocker scan for blocked addresses before it scans for known spam?


Posted by: Email Guy   |   December 18, 2006 3:50 PM    |   (8)

Barry - good information. You can also find more on this subject here:


As for whether we check the block list first or filter for known spam first, I'd have to check, but they are both immediately deleted. By default when you click your Known Spam folder, you only see a graph showing how many we deleted for you. They aren't saved. You can change that setting to save them, but most users don't. And if you do change it, they still don't count in your storage quota, and they don't use much storage for us as we are going to autodelete them anyway after 10 days if you choose the save option.

Posted by: barry   |   December 18, 2006 3:52 PM    |   (9)

thisjustin wrote Dec 12, 2006 10:13 PM that spams he gets "has the personal information, like name and street address, of a person in California."

do you mean your personal info in the body of the email, or the spammer's personal info, or somebody else's personal info? you can usually tell when a 'legitimate' spammer adds their own contact info in a spam. often it's because they think that spamming is now legal if they follow the CANSPAM Act guidelines which basically state that if a sender includes their contact info then the spam isn't spam! good ole congress!

if it's addressed to somebody else, then it may either be spam, or a legitimate sender's email database error.

if it's addressed to you, should you "visit every "Unsubscribe" site for mailing lists to which I did not subscribe?": the rule of thumb is to never reply to a spammer, either in response to their offer, or to be removed from their mailing list. replying to a spammer shows them that 1. you got the spam, 2. you opened the spam, & 3. most importantly, you read the spam. thus they'll know that they have a 'very good' email address, and may wind up not only sending you even more spam, but will sell your address to other spammers. and you know what that means! supposed corporate email can be spam too. they may buy lists from legitimate sources in their industry, and then email you without your permission. that's still spam.

Posted by: barry   |   December 18, 2006 3:56 PM    |   (10)

i wrote at 220pm: "if the TO: & CC: fields are 'decoration', then how come we can't leave both those fields blank and just put all addresses in the BCC field? some email programs allow that. i'm trying to remember if older generations of webmail also allowed that."

i should have added that i'd like to see webmail ALLOW US to leave the TO & CC fields empty if there's at least one address in the BCC field before we hit 'send'. it'd save us a step of adding our own address in the TO field. the result is the same as far as our recipients are concerned--it's still from me, and their address doesn't show in the TO or CC fields. they don't need to see that i also sent it to myself!

Posted by: Email Guy   |   December 18, 2006 4:33 PM    |   (11)

I agree, the behavior should be to require a recipient in any one of the To CC or BCC, not specifically the To. I'll see about getting that fixed.

Posted by: barry   |   December 18, 2006 5:47 PM    |   (12)

Email Guy replied to me Dec 18, 2006 3:50 PM: "As for whether we check the block list first or filter for known spam first, I'd have to check, but they are both immediately deleted." yes, but--only if spamBlocker is set on High. if set on medium, then known spam is sent to the Known Spam folder. and i find fresh spam there from addresses i've previously blocked. thus my request/plead to scan our Block list *prior to* routing out Known Spam.

thank you for checking tho.

"By default when you click your Known Spam folder, you only see a graph showing how many we deleted for you. They aren't saved." again, only with the High setting. which is what i use, and can see, in my secondary Mindspring email account. but for this primary account i can't use the High setting, as i've had this email address for around 10 years, and i don't want to have to maintain an allow list, or have legit senders get that autoreply message, especially if that sender is a mail list i forgot about!

Posted by: Email Guy   |   December 18, 2006 6:01 PM    |   (13)

No, setting spamBlocker to High has no effect on the behavior of the medium setting, it just adds the Suspect Email blocking to the filtering already provided on the Medium setting. Known Spam is always immediately deleted unless you go to spamBlocker / Settings and change that, in which case you will see a normal folder of messages instead of a graph. When you see the graph, you are seeing how many got immediately deleted.

Posted by: barry   |   December 18, 2006 6:15 PM    |   (14)

re: "No, setting spamBlocker to High has no effect..."

well, maybe i've confused High and Medium behavior because of the settings i've chosen (a long time ago!) for each of my accounts. for my Mindspring address i've set up High with auto deletion of known spam; for my primary netcom address i'm on Medium with save spam to Known Spam. which is where blocked address show up again in fresh spam. i still want to see Known Spam (to catch false positives), but not known spam from blocked addresses.

Posted by: Greg Ewanowich   |   August 14, 2007 6:24 PM    |   (15)

I am so sick of the spam garbage sent to my email address I am about ready to cancel all my email accounts and go back to using the post office as sad as that is. People who use spam as a way to advertise their sick pornography and garbage using fake return addresses and stolen identities and IPs should be hung by their short curly ones till they bleed to daeth as far as I am concerned!! there is no prison nasty enough to hold them in even in China,Korea and Thailand where a lot of this sick garbage is sent through. All pornographic saites that use these kind of methods to advertise and spread their sick trash should be tracked down and permanently removed and banned from the use of the internet!! I am so pissed off!!

Post a comment Back to MAIN

Please read the Ground Rules before submitting comments.

Please check the FAQ (Frequently Asked Questions) and try the Search feature before posting a new question. If your question is answered in the FAQ or in a recent article on the front page, it might not get published.

(All blogs get tons of automated spam from robots, so unless you answer this question, your comment will automatically be considered spam and won't be posted. Type human, one word, all lower-case letters.)