You don't. Someone is using your address as a return address and there is nothing you can do. Be selective where you post your personal info. Only provide it where it is needed and never post in a public forum like this one.

IMHO this is not a valid answer to my question. My email address is no secret and many people have access to it. However, this is the first time someone was able to use my address as if they were me. That is, my email address was given to me by Uppsala University and many students and faculty have access to it. Up to now no one could use this email address as their own and send emails to me that showed they were being sent from me; i.e. impersonating me. As I stated in my first posting of this problem, The email shows From: Me but it actually is from someone else --- how can I find out who is sending this to me and stop them?

You not liking the answer does not change the fact that people scam other's email address all the time. I guess you have been lucky so far. Thunderbird is email client software running on your computer. It downloads or displays messages that arrive in your Inbox on your providers server. It has no control over what arrives there or who is using your email. Nor do you! Scamming email addresses is no different that someone using snail mail printing your address on an envelope. You have no control over it. Maybe while at University take a course in how email works and it's shortcomings.

Unfortunately you do not understand my problem, so please stop giving replies to my problem. And for your information I have taught in the IT dept of a large university for over 10 years. The problem is not about someone sending emails to me. The problem is (I repeat) I get emails that show they were sent by me (i.e., the top line of email shows From: Me which is of course vs@it.uu.se; but I did not send this email).

Airmail, send me an email (vs@it.uu.se) and make the From also be vs@it.uu.se. Please try --- if you can do this then tell me how you did it. Otherwise, do not continue to try to answer my question which IMHO you do not understand.

I have attached an image of the top of such an email. I did not send this email but I would like to know who did send it!

I protect my personal info. That includes not emailing random IT professors. Press control+u to see the source code of an email. With your background you should be able to decipher the origin of the message.

First, you seem to be paranoid about personal information. You only need to send a blank email to me with From: vs@it.uu.se. I really do not see how this could compromise your personal info since it would show sent by me!

Here is what a Ctrl-u gives: Received: from uuc-epost001.user.uu.se (130.238.3.11) by

uuc-epost005.user.uu.se (130.238.3.15) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
15.1.1591.10 via Mailbox Transport; Wed, 23 Jan 2019 12:25:43 +0100

Received: from uuc-epost004.user.uu.se (130.238.3.14) by

uuc-epost001.user.uu.se (130.238.3.11) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
15.1.1591.10; Wed, 23 Jan 2019 12:25:43 +0100

Received: from lyra.its.uu.se (130.238.7.73) by smtp.user.uu.se (130.238.3.9)

with Microsoft SMTP Server (version=TLS1_0,
cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.1591.10 via Frontend Transport;
Wed, 23 Jan 2019 12:25:43 +0100

Received: from e-mailfilter03.sunet.se (e-mailfilter03.sunet.se [192.36.171.203]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by lyra.its.uu.se (Postfix) with ESMTPS id B9F7038EC4 for <vs@it.uu.se>; Wed, 23 Jan 2019 12:25:42 +0100 (CET) Received: from ln-static-139-255-66-35.link.net.id (ln-static-139-255-66-35.link.net.id [139.255.66.35] (may be forged)) by e-mailfilter03.sunet.se (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id x0NBPTWY095758 for <vs@it.uu.se>; Wed, 23 Jan 2019 12:25:35 +0100 Message-ID: <7B6643204D5E052E331675180B507B66@it.uu.se> From: <vs@it.uu.se> To: <vs@it.uu.se> Subject: =?utf-8?B?YnLDpWRza2FuZGUgbWVkZGVsYW5kZW4gZnLDpW4gc8Oka2VyaGV0c3Rqw6Ruc3Rlbi4=?= Date: Thu, 24 Jan 2019 00:26:33 +0600 Content-Type: multipart/alternative; boundary="---------4393220674707370" X-Mailer: Wklslmt lhlflja 7.1 X-Bayes-Prob: 0.9999 (Score 5, tokens from: vs@it.uu.se, uu-se:default, base:default, @@RPTN) Precedence: bulk X-Auto-Response-Suppress: All Auto-Submitted: x-no-autoresponse-please X-Spam-Flag: YES X-CanIt-Incident-Id: 0bXrLpuAx X-Spam-Score: 32.48 (********************) [Tag at 6.30] CK_HELO_GENERIC:0.001,DATE_IN_FUTURE_06_12:0.001,HTML_MESSAGE:0.001,NO_FM_NAME_IP_HOSTN:2.5,RDNS_NONE:1.274,SPF(softfail:1),DKIM(none:0),CC(ID:0.2),RBL(spamhaus:3.0),RBL(rp-dict:1.5),RBL(rp-spam:3.0),Bayes(0.9999:5.0),C3312(15) X-p0f-Info: os=Windows 7 or 8, link=Ethernet or modem X-CanIt-Geo: ip=139.255.66.35; country=ID; region=Jakarta; city=Jakarta; latitude=-6.1744; longitude=106.8294; http://maps.google.com/maps?q=-6.1744,106.8294&z=6 X-CanItPRO-Stream: uu-se:vs@it.uu.se (inherits from uu-se:default,base:default) X-Canit-Stats-ID: 0bXrLpuAx - d2c00e63191b - 20190123 (trained as spam) X-Antispam-Training-Forget: https://mailfilter.sunet.se/canit/b.php?c=f&i=0bXrLpuAx&m=d2c00e63191b&rlm=uu-se&t=20190123 X-Antispam-Training-Nonspam: https://mailfilter.sunet.se/canit/b.php?c=n&i=0bXrLpuAx&m=d2c00e63191b&rlm=uu-se&t=20190123 X-Antispam-Training-Phish: https://mailfilter.sunet.se/canit/b.php?c=p&i=0bXrLpuAx&m=d2c00e63191b&rlm=uu-se&t=20190123 X-Antispam-Training-Spam: https://mailfilter.sunet.se/canit/b.php?c=s&i=0bXrLpuAx&m=d2c00e63191b&rlm=uu-se&t=20190123 X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw Received-SPF: softfail (e-mailfilter03.sunet.se: domain of vs@it.uu.se does not designate 139.255.66.35 as permitted sender) receiver=e-mailfilter03.sunet.se; client-ip=139.255.66.35; envelope-from=<vs@it.uu.se>; helo=ln-static-139-255-66-35.link.net.id; identity=mailfrom X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.203 Return-Path: virgil.stokes@it.uu.se X-MS-Exchange-Organization-Network-Message-Id: 4c6a8d0e-ee3a-456a-ee57-08d681258337 X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0 X-MS-Exchange-Organization-SCL: 9 X-MS-Exchange-Organization-AuthSource: uuc-epost004.user.uu.se X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.2142993 X-MS-Exchange-Processed-By-BccFoldering: 15.01.1591.012 MIME-Version: 1.0

I did not send this email. Please tell me the origin of this email, Airmail.

FYI Airmail, here is the origin of the email; but, my problem is how can I stop such emails:

IP: 139.255.66.35 Decimal: 2348761635 Hostname: ln-static-139-255-66-35.link.net.id ASN: 9905 ISP: FirstMedia Organization: Linknet Services: None detected Type: Broadband Assignment: Static IP Blacklist: Continent: Asia Country: Indonesia id flag State/Region: Jakarta City: Jakarta Latitude: -6.1744 (6° 10′ 27.84″ S) Longitude: 106.8294 (106° 49′ 45.84″ E)

Airmail said

You don't. Someone is using your address as a return address and there is nothing you can do. Be selective where you post your personal info. Only provide it where it is needed and never post in a public forum like this one.

I think this is the answer you are having difficulty digesting. To expand on it, the from address not just the return address are spoofed. To place this on a more physical footing. There is nothing to stop me writing a physical letter to you placing your name and address on the back in the from space and your name and address on the front in the to place. It is not even illegal

So in dues course you get an envelope addressed to you in your mailbox ostensibly from you.

Now we move that to the realm of email. Again there is nothing illegal about using an email address that is not yours in the envelope of the email. It might be different if the sender had to hack your account. But they do not.

You appear to be thinking this is something that you should be able to stop. You can not. It is not practical

You could create a filter on the header fieldX-MS-Exchange-Organization-AuthSource: that when the value equals "uuc-epost004.user.uu.se" that the mail be deleted, but there is nothing to say they will continue sending from that exchange server. Once the owner/administrator works out that it has been compromised they will close off the spammer/ hackers access to the server and they will move on to another server somewhere else that they have access to. The mail will then bypass the filter and be back again. In this I assume your problems is commercial emails and not hate mail directed at you personally. Regardless the principles are the same, just personal grudge stuff often does not move source once blocked.

So I suggest you read the entry level information on wikipedia about email address spoofing as this is what it is called. https://en.wikipedia.org/wiki/Email_spoofing

You then should perhaps read about backscatter is that is closely related as it is the result or your address used as the sender, not the recipient. https://en.wikipedia.org/wiki/Backscatter_(email)

If you feel you need more details on the actual protocol I suggest you refer to the RFC that governs the submission of email. https://tools.ietf.org/html/rfc5321 and extensions for DNS https://tools.ietf.org/html/rfc3461

Once you ae up to speed if you have questions we would be happy to refer you to the correct place, like your university mail administrator who apparently is not using appropriate anti spoofing tools like an MX record in the DNS and the use of that when receiving mail (reverse DNS). to determine the sender domain is not an approved Mail exchanger for the email address.

You post your personal email address in a public forum repeatedly even after being advised not to and then complain that someone is using it. Gee, I wonder how the spammer got your personal info? Your students should get their money back.

You clearly do not understand the problem that I posted and it seems that also do not understand how email servers and clients work. Please no more posts on my problem!

Matt said

Airmail said

You don't. Someone is using your address as a return address and there is nothing you can do. Be selective where you post your personal info. Only provide it where it is needed and never post in a public forum like this one.

I think this is the answer you are having difficulty digesting. To expand on it, the from address not just the return address are spoofed. To place this on a more physical footing. There is nothing to stop me writing a physical letter to you placing your name and address on the back in the from space and your name and address on the front in the to place. It is not even illegal

So in dues course you get an envelope addressed to you in your mailbox ostensibly from you.

Now we move that to the realm of email. Again there is nothing illegal about using an email address that is not yours in the envelope of the email. It might be different if the sender had to hack your account. But they do not.

You appear to be thinking this is something that you should be able to stop. You can not. It is not practical

You could create a filter on the header fieldX-MS-Exchange-Organization-AuthSource: that when the value equals "uuc-epost004.user.uu.se" that the mail be deleted, but there is nothing to say they will continue sending from that exchange server. Once the owner/administrator works out that it has been compromised they will close off the spammer/ hackers access to the server and they will move on to another server somewhere else that they have access to. The mail will then bypass the filter and be back again. In this I assume your problems is commercial emails and not hate mail directed at you personally. Regardless the principles are the same, just personal grudge stuff often does not move source once blocked.

So I suggest you read the entry level information on wikipedia about email address spoofing as this is what it is called. https://en.wikipedia.org/wiki/Email_spoofing

You then should perhaps read about backscatter is that is closely related as it is the result or your address used as the sender, not the recipient. https://en.wikipedia.org/wiki/Backscatter_(email)

If you feel you need more details on the actual protocol I suggest you refer to the RFC that governs the submission of email. https://tools.ietf.org/html/rfc5321 and extensions for DNS https://tools.ietf.org/html/rfc3461

Once you ae up to speed if you have questions we would be happy to refer you to the correct place, like your university mail administrator who apparently is not using appropriate anti spoofing tools like an MX record in the DNS and the use of that when receiving mail (reverse DNS). to determine the sender domain is not an approved Mail exchanger for the email address.

First, I am aware of most of the things that you have posted Mat; but the details of emails are certainly not my speciality. I will try to learn something from your posting on my problem. However, your assumption that these are commerical in nature indicates that you have not read and digested all my posts on the problem. These are blackmail and threating emails. Also, when you and Airmail state that one can not stop this, perhaps you just don't know how to stop this.

Its would be very helpful if you could: 1) Tell me how I can return this "spoof" email to the sender. (a possible answer is -- you do not know how.) 2) Send an email to me (vs@it.uu.se) with this email address and only this email address in the From.

Virsto

Have sent you a spoofed email, though dont know whether your email system will block it. Looking at content of previous header you posted I suspect it will reach you as seems to be allowing spam/spoof emails through.

Like you I'm no email expert but what Airmail & Matt is in keeping with my understanding. ie. it is relatively easy to send email to anyone pretending to be from anyone, ie. there is no check at sending end as to authenticity of email contents/addresses etc. Even if it were possible to authenticate the sender, people would just send the malicious emails from hacked email accounts (which they often do anyway)!

Therefore before delivering email to someone the the various servers will check it legitimacy, as is shown in your email header (SPF fail and high spam score for example). Emails that fall foul of particular criteria will not be delivered.

So back to your original question, I also do not believe you can stop the emails being sent but you can stop receiving the email by you (or you email administrator) raising the security threshold that emails have to meet prior to delivery.

virsto said

perhaps you just don't know how to stop this.

Report the matter to the appropriate law enforcement and let them do their job is how you stop it.

Its would be very helpful if you could: 1) Tell me how I can return this "spoof" email to the sender. (a possible answer is -- you do not know how.) 2) Send an email to me (vs@it.uu.se) with this email address and only this email address in the From.

I have no intention on doing either of those things.

There are tutorials on the internet, just google :how to spoof an email address" you will get plenty of educational material. I suggest you use it. I will not be teaching hacking.

The headers of your mail (as posted) suggests it originated at an address in Timor, not jakarta. The internet service provider is in jakarta. See https://www.abuseipdb.com/whois/139.255.66.35

Details on 139.255.66.35 here They also suggest the server at it.uu.se is not correctly configured and therefore encourages spoofing. But the IP address is blacklisted on many blacklists anyway, I would assume it is a malware infested computer that is the source of record, not the true source. But you might have fun communicating with the ISP. I doubt they will be very helpful, but your the one determined to "stop this"

I am now done here. This is no longer a Thunderbird support topic, if it ever was.

Heppi said

Virsto Have sent you a spoofed email, though dont know whether your email system will block it. Looking at content of previous header you posted I suspect it will reach you as seems to be allowing spam/spoof emails through. Like you I'm no email expert but what Airmail & Matt is in keeping with my understanding. i.e. it is relatively easy to send email to anyone pretending to be from anyone, ie. there is no check at sending end as to authenticity of email contents/addresses etc. Even if it were possible to authenticate the sender, people would just send the malicious emails from hacked email accounts (which they often do anyway)! Therefore before delivering email to someone the the various servers will check it legitimacy, as is shown in your email header (SPF fail and high spam score for example). Emails that fall foul of particular criteria will not be delivered. So back to your original question, I also do not believe you can stop the emails being sent but you can stop receiving the email by you (or you email administrator) raising the security threshold that emails have to meet prior to delivery.

No, your attempt to send a "spoof" email did not arrive. But, thanks very much for trying, Heppi.

Airmail has claimed that it is very easy to send a "spoof" email but refused to do it. And of course, Matt seems to know more than I do about the processing of emails but, refused to respond to my requests.

It may be easy to send a "spoof" but, I do not think this is true. If it were, then IMHO there would be many spoof emails. I have been using emails since the late 80's and I have never received an email from someone else (until recently) that had my email address in the From line and in the To line -- Am I just lucky? I don't think so. Matt and Airmail have given their reasons why they will not send me such an email; but, IMHO they do not how to do it, even though Matt tries to explain how it might be done and how my email server support group could perhaps reduce the probability of getting these spoofs. However, he shows no proof that his explanation is correct and my email server group is very careful with emails; esp. email problems of the type I have described. They are responsible for over 40,000 students+faculty+staff. How many "spoofs" have been reported? I will let you contact them for their answer to this question.

Of course this is my opinon and I do have respect for your opinons (Airmail, Matt and Heppi). Forgive me if I offended you --- this was definitely not my intention.

Please indulge me with a little history. When I was working at TRW (Redondo Beach, CA). I was in a meeting with IBM where we were negotiating on a test computer for a NSA communication satelite. We were discussing one of the specifications for the test computer and the head IBM tech representative said "this is impossible". My colleague replied "you mean that you do not know how". The following week we were going over the same project, the same specification with HP and after a short pause the HP team reported "we can do this" and they indeed supplied our group with a modified HP21MX that was able to meet our specifications and it worked perfectly. The message here is that "impossible" in this context really did mean "don't know how". I also believe that this is very important in teaching -- to solve what many agree to be impossible may indeed be possible (e.g. Andrew Wile's solution of Fermat's last theorem). I will no longer bother any of you with my original problem, so Matt you are welcome to close this problem as an unsolved problem --- but not impossible to solve :-)