I run a small business with a website and a catch-all email address. I keep getting emails headed Mail Failure Notification addressed to postmaster@(my web address). It looks like someone is sending spam and pretending it is from me, but these messages are not going out through my mail system. How can they do this and how do I stop it? Dr Jim Speakman
You can't. It's very easy to forge the From and Reply-To address in emails, and many companies simply bounce rejected and undeliverable messages to these addresses, even though everybody knows it's not where they originated. There have been attempts at patching this defect in the internet email system, and the leading example is SPF (Sender Policy Framework).
With SPF, you publish a record that states explicitly that, for example, "XYZ only sends email from IP address 123.45.678.90 and the mailservers at xyz.co.uk" and so on. A service provider that uses SPF, such as AOL, can check incoming emails, and if they didn't originate from the stated places, discard them as forgeries. SPF is not in widespread use, but it probably does have enough users to reduce the volume of forged email.
Full details of how to set up SPF are published on the Open SPF website at www.openspf.org. If you control your own domain, the site has a wizard that will enable you to publish an SPF record. If not, you can contact your ISP and encourage it to start using SPF.
So while you cannot stop people from forging your address, you can reduce the amount of forged email that is delivered.
You could also considering changing your catch-all email address. A catch-all address is useful if your name, or your business name, is often misspelled, because it will accept all email sent to your domain name (anything@xyz.co.uk). You can change this and only accept email sent to specific addresses (jim@xyz.co.uk, sales@xyz.co.uk and so on). You can then reject emails sent to unspecified addresses at the server. However, your domain should have working postmaster and abuse accounts.
Finally, you can improve your spam defences by getting your mail from a server running Spam Assassin, or routing your email via a cleaning service that uses Spam Assassin. Spam Interceptor is a web-based option. If you have to do your own filtering, try Post Armor, which being Java is cross-platform, or MailWasher Pro for PCs. These can delete unwanted mail on the server, without downloading it. Both have free versions.
Web extra:: It's also worth reading a blog post by Jeremy Zawodny on Using Gmail as My Spam Filter.
