Evan writes, "Hi Al, My email address has just been compromised and now I am receiving hundreds of System Administrator and Mail delivery failure notices sent to my inbox from all those poor people who have received unwanted spam from my address. I noticed your name on the web when I went searching to find out how and if I can stop this happening and was hoping that you might have some ideas other than changing my email address?"
Hey Evan, I'm sorry to hear you're going through that. But don't despair, this soon will pass. In the mean time, here's what you should do.
Change your email password, just to be safe. All throughout history, it's been pretty unlikely that the bounces coming back from spam have anything to do with sending from your actual email account and email system. Do change that password, though, just in case. If a bad guy had your password, this will help to lock them out.
Enable two-factor authentication (also called two-step verification) if your email system supports it. It really helps to make your account secure. It's one of the best possible defenses against bad guys getting access to your account in the future. (They don't usually want access to your account just so they can shovel spam to millions of users-- they typically want it so they can spam your closest friends with a link to install malware and take over their computers. You don't want that to happen to your friends!)
Keep in mind that spammers rotate through faked sending email addresses often. Meaning, the avalanche you might be experiencing today will die down soon. The spammer will soon move on to their next target. Every time my address has been forged in spam, only a few bounces and weird messages came back to me. In the grand scheme of things, your email inbox will survive. And don't respond to any human replies; they will invariably be from people who aren't too savvy about how spam works, and they'll just want to pick a fight with you because they think you're a spammer. There's no reasoning with some people.
There's no need to change your email address. There really isn't such a thing as a blacklist of spammer email addresses out there, so the chances of long term damage to your personal sending reputation is probably nil. Somebody like Yahoo isn't going to block you just because somebody else sent a spam that purported to be from you.
If this mailbox is on a system you manage yourself, set up SPF (Sender Policy Framework) authentication so that you can tell ISPs which IP addresses legitimately send mail on your behalf. Some systems are smart enough to not send bounces back to you if they know that the true source of the mail (the spammer) isn't legitimately allowed to send mail using your domain name. And if you make it easier for ISPs to know that the mail you send is legitimately from your domain, you make it easier for them to more closely scrutinize (and then filter out) illegitimate mail.
September 2014: The Month in Email
15 hours ago