Chances are you have been directed here for one of the following reasons.
You are receiving mail that has a header that looks like it was from SquirrelMail.
You are receiving MAILER-DAEMON errors reporting users don't exist, quoting headers showing SquirrelMail.
You are an ISP investigating spam levels.
If either of the above applies, chances are you have been caught in the latest
attempts at spam to fool anti-spam measures. A lot of spam has forged headers.
This means that they take pretend values, and substitute them to ill effect.
For example, replacing the from address with your email address (or a made up
address). This can also apply to the other headers as well. This is leading to
cases of SquirrelMail being accused of sending spam, or our servers being
hacked. Rest assured -- our servers are safe. In actual fact, we don't run any
servers at SquirrelMail.org. We do not even run mail services here, just
supplying our own software on a hosted service from
So you may be wondering why all this mail is coming from us? Well to be honest
it isn't. Some people have developed software that pretends to be our software,
and is producing a lot of noise on the Internet containing such information.
This is leading people to think our software is unsafe, or is acting as a spam
So why am I getting these emails?
Well the truth of the matter is that somebody guessed your email. This isn't
uncommon if you have email addresses like email@example.com. The spammers just
randomly pick domains, and randomly generate emails from that domain to send
mail from. All we can suggest is you delete them, or contact the correct
authorities (usually your service provider should be able to help).
So what are you doing to stop this?
Unfortunately there isn't much we can do. Because spam is such a problem on the
Internet, the best thing we can do is educate people into the real facts. Below
are some basic ideas on how to detect where these forged emails are coming from.
While this isn't easy for most people, it gets easier with practice. There is
always your service provider, they should be able to help you.
Okay, so what is the secret? How do I find out who is doing this?
Honestly, you cannot find out the exact person that is sending it, but you can
find out what the address (IP Address), and what service provider the mail was
sent via. Below is an example of the headers from a forged email:
Received: from [18.104.22.168] (helo=randomdomainname.com)
by example.com with smtp (Exim 3.36 #5)
for firstname.lastname@example.org; Tue, 15 Feb 2005 14:47:42 +0000
Received: from 22.214.171.124
(SquirrelMail authenticated user email@example.com); by
randomdomainname.com with HTTP; Tue, 15 Feb 2005 14:47:49 +0000
Date: Tue, 15 Feb 2005 14:47:49 +0000
Subject: New software from Adobe available.
From: "Terence" <firstname.lastname@example.org>
Content-Type: text/html; charset=iso-8859-1
X-Priority: 3 (Normal)
This looks like the headers of some ordinary email, even down to the
SquirrelMail versions. However there are a couple of mistakes. The first being
it really wasn't sent from SquirrelMail by a user email@example.com. To trace the
source of an email, you start at the bottom Received: line, and work upwards. In
this case, it says the email was sent from the IP 126.96.36.199 using the SquirrelMail
account firstname.lastname@example.org on the domain randomdomainname.com. When SquirrelMail
really writes these headers, the randomdomainname.com is the actual web server
address. The first thing to do is verify if this is in fact a real SquirrelMail
email. The quickest way is to validate the domain name. Using
InterNic it is possible to
lookup domain name information. In this case, randomdomainname.com doesn't
exist, so we already know that this line could be faked.
Assuming that line is faked, we move to the next one. This shows the IP address
188.8.131.52 connecting to example.com. For the sakes of example, example.com
is the actual address of the mail server for our domain. This shows that the IP
address 184.108.40.206 connected to our mail server to deliver the mail. This
is the most important line. Using
GeekTools, we can find out where the IP address belongs, which service
provider is the owner of the IP, and in most cases, who to contact in case of
abuse. In this example, we'll say the owner is homeagainisp.com, and they have
an abuse contact email. At which point, you can forward your email as an
attachment to the listed email address for the abuse contact. For clarity, and
to save them the confusion of what you went through, reference this URL too, so
they can have a clue what is really going on.
For another clue on the message being forged, view the Message-Id: header. In
this case it is <6pr9Lv.email@example.com>. This is not a valid SquirrelMail
Message-Id. A valid Message-Id header looks something like this:
This is another easy way to spot a forged message.
We do hope to stop this barrage of spam, unfortunately it is difficult to do,
and miss-identification doesn't help. This page was created in the hopes of
educating everybody into the background of this spam issue, and we hope it
There are mistakes, or I have suggestions, where can I send them?
"This image has been removed for security reasons."
There are two kinds of images that come with your HTML e-mail: the ones that
come attached with the e-mail itself, and others that link to remote sites.
Images that are linked to remote sites are considered "unsafe" for the
Spammers can abuse this to validate your e-mail address
The sender can know instantly if you have read their e-mail or not (privacy concern)
Finding out information about your browser, operating system, and your mailserver (security concern).
Let's look at these issues in more detail:
Validating your e-mail address
Spammers can (and do) include specially-crafted image tags that include a "web
bug" (usually a 1 pixel transparant image) used to validate that your e-mail
address is a live one and that you actually read e-mail sent to this address.
When such image is loaded, a request is sent to the spammer's server and it
notes in its database of e-mail addresses that you have, in fact, received and
read the spam e-mail they sent. Such addresses are re-sold to other spammers
and the amount of spam you will receive is going to grow exponentially.
Verifying that you have read your e-mail
This issue is a privacy concern - if there are images in the e-mail that link
to the sender's website, they will know instantly when you have opened and read
the e-mail they sent. This can be used against you if for some reason you
decide to deny ever receiving that e-mail from the sender - they will have
proof that you have received, opened, and read that e-mail.
Finding out information about you
Every time an image is loaded off the remote server, it leaves a "log" message
about what type of system you are using, including the version of your browser,
your internet IP address, as well as information about your mail server and the
software running on it. This information can be used to carry out attacks on
your computer or the server where SquirrelMail runs.
Images in email can also be used to auto-execute cross-site scripting code in a
attempt to trick your browser into revealing your account information to
crackers with malicious intent.
For these reasons SquirrelMail does not display these "unsafe" images by
default, but instead shows you a warning sign. A link is provided to show
the images for that particular mail. If you know that the e-mail came
from a trustworthy source, you can use the Unsafe Image Rules plugin to always
images from that source.