- Developer Tools
Kevin "kj" Woolley, January 30, 2006
Every now and then we get a complaint from someone that claims we've been spamming them. The messages do appear to come from a random ActiveState address (usually sjfdklfjs [at] activestate [dot] com or similar), but there is a less obvious side to the...
Every now and then we get a complaint from someone that claims we've been spamming them. The messages do appear to come from a random ActiveState address (usually sjfdklfjs [at] activestate [dot] com or similar), but there is a less obvious side to the story.
Modern e-mail servers (Mail Transport Agents, or MTAs for short) overwhelmingly use a protocol called SMTP, which is short for the Simple Mail Transfer Protocol. SMTP is actually very simple -- indeed, many people will use telnet(1) to connect to port 25 on a mailserver to send a quick e-mail message without setting up a mail client.
One of the places where SMTP is perhaps too simple is its lack of sanity checking in regards to the e-mail address of the sender. While this may have originally served to allow a degree of flexibility for organisations with limited resources and a shared server, it is now something of a problem. Someone could send a message claiming to be from santa [at] northpole [dot] com, and it would take someone with a keen eye and a full copy of the message headers to know better.
Spammers use this property of SMTP to try to cover their tracks when they send spam. They will usually send their messages with a sender address of a non-existent mail account on a domain they do not own. Ideally, the domain in question will have servers powerful enough that the owners of the domain won't notice the increased burden that all of the bounced mail messages and complaints puts on it.
In this day and age of spam filters and whitelists, it also makes sense for them to use a domain in the sender address that is trusted by a lot of people, to make sure more of their spam reaches inboxes, rather than junk mail traps.
ActiveState meets each of these criteria well. We are a technical company with a good on-line presence; we have pretty decent mailservers; and most of all, we're trusted by a lot of people. This makes us a natural target for spammers who are looking for a fake sender address to abuse.
Given the way e-mail works, there isn't a lot we can do to stop someone from spamming and claiming it's coming from us. All we can do is react when it happens.
We would never spam anyone ourselves, because we have far too much to lose. Besides, we sell developer tools, not fake Rolexes or herbal supplements of dubious origin and utility. So when you see a spam message claiming to come from us, just delete it and move on.