1.0 If you get an e-mail returned (bounced back) that you didn't send, don't worry about it, but do run a couple of checks on your computer security.

(If you get an e-mail complaining you sent someone a virus, you can follow these same steps.)

Usually there is an infected computer somewhere that contains both your e-mail address and the destination e-mail address. (For example, the infected computer might belong to a mutual friend or to a company you both deal with.)

The malware (virus or trojan) on the infected computer scanned that computer for e-mail addresses. It picked one e-mail address to be the fake sender and sent copies of itself to the other e-mail addresses.

The malware didn't use the real e-mail address of the computer's owner because any undeliverable e-mail that bounced back would tip the infected computer's owner that he had a problem.

The other common possibility is that a spammer sent spam and, accidentally or intentionally, used your e-mail address in the "sent from" field. Normally this is a one-time occurrence, although you might see bounces for a couple of days.

Either way, it is unlikely your computer sent the e-mail.

Just to be sure you don't have a problem, follow these 2 steps:

1.1 Make sure the anti-virus software on your computer is up-to-date and run a full scan of your computer.

1.2 For a second opinion, run one or two of the web-based anti-virus scans listed here:
/faq/9721#scan

1.3 If your ISP abuse department contacts you, which rarely ever happens, telephone them back (look up their number in a phone book or on a bill, so know you aren't being set up for a scam). Ask them to e-mail you the e-mail headers that prove you sent the e-mail. You can post those headers in the anti-spam forum, asking for advice:
/forum/scambusters
(If you want help, only disguise the actual e-mail addresses, not the IP addresses, times or website addresses (URLs).)


2.0 If you get e-mail that is infected with a virus, it is highly unlikely that it was sent by the e-mail address indicated as the sent-by address. The reasons are the same as described above.

You might be able to determine the ISP or the mail server of the infected computer by examining the internal e-mail headers. You would forward the e-mail, including all of the headers, to that ISP asking them to let the owner of the infected computer know they are infected.


3.0 Recommended steps you can take to secure your computer.

There is more on disinfecting computers here:
/faq/8428

There is more on e-mail safety and security here:
/faq/9173

There is more on securing computers here:
/faq/8463

If you have a computer security question, a question about disinfection or would like to make an observation, feel free to post here:
/forum/security

Symantec's bulletin on this.


4. How to analyze e-mail headers.

You can try to locate the Internet Service Provider of the source of the original e-mail, if you have the headers of the original e-mail. How to find the source of e-mail.

How to get your e-mail program to reveal the full e-mail headers. You will need the headers from the original e-mail, not the bounced e-mail.

Click here for a tool for finding source of e-mail. Note: If you believe the e-mail is from a virus, you can give Spamcop.net the e-mail headers to decode ("process spam"), but do not proceed to the second step of "submitting" a complaint through spamcop.

If you believe the e-mail is from a virus, instead submit the complaint in a polite personal e-mail to the contact address spamcop.net provided in its analysis. State that their customer seems to have an infected computer. Paste the original e-mail with all of the headers and the spamcop analysis near the bottom of the e-mail.

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by keith2468 edited by JMGullett
last modified: 2007-06-14 15:50:46