How Two Web Entrepreneurs
Handled Their E-Mail Identity Theft Problem

"Someone stole my e-mail address and the problem escalated to the point where I was getting dozens of returned e-mail messages apparently sent from my URL," writes Nora Creeach (now retired from the Web). "I was working with a lot of kid crafts and maintaining a child friendly site at the time, so the X-rated messages were particularly disturbing to me.

"I notified my ISP and my site host and we were able to trace the sender back through a number of fake e-mail addresses that ended in Russia (not able to trace past that). Notifying the ISP and my Web host (including copies of the returned e-mail, with extended headers), prevented my site and e-mail privileges from being terminated. In notifying your ISP, look for an address that will be looked at by a human. If the humans responsible for the site (ISP) of the returned mail know of the problem and the steps taken to stop it, there is less likelihood that your domain will be put on the banned or bounce list.

"I also called the local police and made an identity theft report, but was advised there was nothing they could do except put my report on file in case there were any repercussions. My next move was to place a message on my home page stating that I do not send spam and actively fight it, but that my name was being used by someone else. I posted to all the lists I could, explained what was happening, and asked that they forward any messages they received (with the extended headers) to me so we could stop the abuse. It took almost a month of several hours a day to stop the porn and greatly reduce the spam. I wouldn't bother for the occasional spam message, but the flood of porn meant I needed to be more aggressive. I continued to monitor this problem. Once in a while, I'd get an e-mail return with my domain name, and when this happened, I immediately reported this unauthorized use of my name or domain to my ISP."

I asked Nora what good it did to report e-mail identity theft to the police if there was nothing they could do about it. "This will be helpful in stopping pornographers from using your e-mail identity" she explained. "If you can track down the individual who has stolen your e-mail identity, it carries considerable weight if you e-mail them back saying you have reported them to the police. Since pornographers do everything possible to avoid the police, my telling them that the police now have a file on them has been enough to stop some them from using my name."

Since robots and spiders routinely search the Web for e-mail addresses, Web site owners need to take steps to protect the addresses used on their sites. Some website owners show their email address as a graphic image, which people can read and hand-type into their email client. For other methods you can try, see How to Make Your E-Mail Address Invisible to Spam Bots.

"I was the victim of e-mail forgery about a year and a half ago," writes Jeanne Baratta. "Overnight my inbox was flooded with returned-emails that looked as if they were coming from my Web site–emails with revolting sexual subjects advertising pornographic sites. I was completely flabbergasted by this and the fact that people--maybe even some I know–were receiving this mail and thinking it was coming from me! At one point, I was receiving at least 300 undeliverable messages each day, so I could only imagine how many were being delivered!. However, I only received one complaint from a lady who wrote to me telling me to stop sending her porn. I sent her a long apology explaining my situation and assuring her it was not me. I even offered her a discount at my Web site. She was very sweet and thanked me for explaining the situation.

"My ISP (MSN) gave me no help in this matter whatsoever. They merely told me that ‘email spoofing’ was fairly common and simple to do. Initially concerned that my passwords had been stolen, I was assured that passwords were not necessary to spoof someone's email. I next went to the Professional Crafters Mailing List for help, and one of the list members, who called himself a 'white hat hacker' (someone who hacks only for the good of others), came to my rescue. I forwarded a bunch of the ‘filth’ to this fellow, and he was able to pinpoint the ISP and IP address of the perpetrator. He instructed me to send all the returned emails to my ISP with a letter explaining the spoofing. After doing this, I immediately received a letter from MSN stating that the person would be banned from their service.

"I didn’t file a report with my local police, but I did file a report with the FBI Internet crimes division. I filled out a lengthy report, chronologically listing all events, contacts and email addresses, attaching copies of all correspondence and files. I did receive a timely reply from the FBI saying that my report was received and being investigated. After about a month things went back to normal as far as my email was concerned, and I never heard anything else from the FBI."

Not content with the action she had taken, Jeanne did one other thing she later admitted was dumb on her part. Armed with the IP address of the email sender, she easily found the name, address and telephone number of the person who was illegally using her email address. "Don't ask what I was thinking--I am still not quite sure what possessed me to do this--but I called this person," she said. "I’m not sure what I expected to accomplish, but I felt a little better after confronting him. I will spare you the details of our conversation, but I decided to hang up (read: came to my senses), when he started calling me some nasty names."

Confronting such people in person is not a good idea. If you can find them, they can also find you and, when they do, they might do something far worse than spoofing your email address.