My wife's email account was hacked and the attacker got her address book. I don't know if the attack was on her local email client (Thunderbird running on Windows 7) or on the server (hosted at GoDaddy). Either way, the contact list data is out there and I can't undo that. I have changed all passwords, updated security, etc., and I don't think there have been any further intrusions.
However, whoever did this has been sending huge amounts of spam, using my wife's name as the "sender". They go quiet for a while, and then so often I wake up to a few dozen emails from my wife, which of course she didn't really send, and every other person in her address book gets these as well. And because her address book was full of many dead addresses, my wife gets hundreds of "Mail Delivery Failed" bounceback messages, as well as hundreds of emails rejected by the receiving domain as spam. The people in her contact list are getting angry, and it's becoming a real problem.
I have asked GoDaddy about this, and they say that any person A can send an email to b@bbb.com claiming to be c@ccc.com, and there is no email infrastructure in place to verify that person A is authorized to send an email from ccc.com. Consequently, there's absolutely nothing I can do about this, and this spammer will be able to harass people, damage my wife's reputation, get her email blacklisted, etc. and there is no way to stop it.
Is this true, or is there anything I can do to stop these spammers, or at lease mitigate the damage?
Best Answer
It is indeed very hard to solve the problem of e-mail spoofing in a general way, due to the simple and highly distributed way the protocol is designed.
The physical letter analogy holds up quite well in this example: I can put a letter into the post, and write on it that it comes from your house; I don't need to have broken into your house to do this, just drop it in a public post box. And if the post is marked "return to sender" it may well end up being "returned" to you, even though you didn't write it. The same happens with e-mail: anybody can deliver a message into the system, with a To and a From address; the server you send mail from may not be the same one you receive mail to, and there's no centralised service verifying your identity when you drop a message into the system.
There are two general approaches to solving this:
Digital signatures are a way of including in a message a kind of signature or seal which only the real sender knows how to generate (using a private key which they never share). The recipient can then verify the signature using a public key which mathematically proves who produced the signature (and that it matches the received text).
This is not, however, very useful for your example, because it doesn't prevent the messages being delivered, and requires recipients to know the public key, or a verified location to retrieve it.
Domain-based sender verification systems have been developed to try to prevent spam. These store data in the DNS (directory lookup) for the domain of the address (the part after the @) which allow a receiving system to verify if a mail is legitimate. One system, SPF, lists which systems are allowed to send mail on behalf of that domain; another, DKIM, stores public keys used similar to the digital signature approach above, but for verifying the transmitting system, rather than the actual sender.
(To slightly over-extend the physical letter analogy, SPF is like publicly saying "I only post letters using this post box" and DKIM is like publicly saying "I always send mail from this post office which prints a tamper-evident label for me".)
These would be more relevant to your case - if your wife were using a custom domain, an appropriate SPF or DKIM setup would cause many systems to silently reject mail which she had not sent herself (or mark it as spam, without attributing it to her). However, it only works at the domain level, not the individual address, and some recipient systems may not check the records.