(Update: The practice is called a “Joe Job.”)
It is common practice among spammers to “spoof” domains, sending their unsolicited messages with forged
Reply-To: fields to make email appear to be coming from a source other than the actual sender. Responses to these messages are “returned” to the forged address, and if that address happens to be that of a real person, woe upon him, as every bounced error message and angry reply is directed to his unwitting inbox.
I was such a victim last night, when a spammer sent prescription drug pitches to several AOL accounts using the brownpau.com domain, prepended with various randomized text-string user IDs. Since I forward all unrouted mail to my home address, I was met last night with dozens of “Failed Delivery” messages, each with a different spoofed header. Fortunately my host provides SpamAssassin and a full-featured email cpanel, so I managed to stem the tide and apply the necessary filters and bouncers before the deluge became unbearable.
Spammers don’t care who gets hurt in their efforts to destabilize the internet for a buck, so they must be stopped.
More info: “My Short Life as an Unintentional Spammer,” Self-Sending Spam, Slashdot discussion.