You’ve got an e-mail address, and you’ve got friends. So far, so good.

Then one day, you get an e-mail from Debbie telling you that your e-mail account has been hacked. She got a spam message that appeared to come from you!

Johnny got one, too.

Sweet mother of mercy, it must be the end of the world! Your e-mail’s been hacked! Maybe your puter’s been hacked!

Not so fast…

This topic has come up so many times that it’s a miracle I never thought to write anything about it before now!

Better late than never, I guess.

E-mail is really, really mushy

The simple fact is that e-mail is not very secure at all. The only relatively safe way to do e-mail is if you’re using PGP or some other type of end-to-end encryption that works like so:

  1. Sender’s puter encrypts message and shoots it off to you
  2. Sender’s message travels through the internets, but no one can read it because the message is encrypted
  3. Your puter receives Sender’s message, and is able to decrypt it

This kind of security isn’t built-in to e-mail; it’s one of those “techie add-on” things, so most people don’t use it.

Without end-to-end encryption – which most people aren’t using – e-mail is like putting a mouse in a prison cell and ignoring the fact that the mouse can easily walk right out between the bars… while simultaneously declaring,

“Oh yeah, that mouse is locked up. Ain’t no way he’s getting out! Maximum security, baby!”

Well, no. Mind you, other mice can also wander right in. The original mouse in the jail cell might be replaced by one of his friends every 5 minutes.

Alphabet Soup agencies LOVE e-mail specifically because everyone thinks it’s so secure, and the agencies have no trouble at all reading anything they want.

Spammers are smarter than you (in an evil way)

So, back to our story of you, Johnny, and Debbie.

Keep in mind that one of the things spammers love to do is steal address books.

Johnny’s got your e-mail addy, and Debbie’s addy. Debbie has your address and Johnny’s address. And your address book has both Debbie and Johnny in it.

Now, if any of those address books is stolen, the spammer knows that you, Debbie, and Johnny know each other.

But let’s say that Johnny’s address book is stolen because either his e-mail account or his puter are compromised by malware or whatever.

Great. So now the spammer will just send spam from Johnny, right?


The spammer is clever in a diabolical way: He doesn’t want anyone to realize that their account has been compromised.  Sending a bunch of e-mail that either comes from Johnny or appears to come from Johnny would give that away.

So what does Evil Spammer do?

He sends mail from you to Debbie (and anyone else in Johnny’s address book).

You think you’ve been hacked, but you haven’t been. You madly run around, wasting all kinds of time and energy.

Worse yet, Johnny does nothing. He doesn’t even check his puter, or change his e-mail password – nothing! And so his account remains compromised.

Next, the spammer might send mail from Debbie to everyone. Rinse, and repeat.

From: doesn’t mean From:

To make matters worse, note that I said the spammer could either send spam messages from Johnny’s account, or make it appear that they come from Johnny’s account.

Now, the second option should be “impossible”, but it relies on system administrators configuring their e-mail servers correctly. Easier said than done, even for a large e-mail provider (read Why Yahoo is Rejecting Your Mail).

Of all the major e-mail providers I’ve ever used, Gmail gets it the most “right”.

Naturally, you might ask why a spammer would falsify an e-mail from Johnny (or anyone else). That’s riskier in terms of poor deliverability, right?

Sure! But the point of spamming is NOT getting messages delivered. The point of spamming is to fool people, spread malware, and other nasty things.

Spammers are like Amazon: they rely on volume. They can send 1 million e-mails in no time. If only 100 people fall for it, that’s a success – even if half of those 1 million e-mails are flat out rejected by other mail servers and never make it to someone’s inbox!

Crazy, right?

Yup, it is.

But at least now you know how just one small part of spamming works.

So next time somebody tells you that you’ve been hacked, take them seriously. Run a scan on your puter, change your passwords, etc. It’s good practice to do those kinds of preventative measures regularly, anyway.

If you don’t find any problems, carry on – and don’t fret!

Get Scottie Stuff!