Ask Al: Help! My email address is being used in spam! What do I do?

Evan writes, "Hi Al, My email address has just been compromised and now I am receiving hundreds of System Administrator and Mail delivery failure notices sent to my inbox from all those poor people who have received unwanted spam from my address. I noticed your name on the web when I went searching to find out how and if I can stop this happening and was hoping that you might have some ideas other than changing my email address?"

Hey Evan, I'm sorry to hear you're going through that. But don't despair, this soon will pass. In the mean time, here's what you should do.

Change your email password, just to be safe. All throughout history, it's been pretty unlikely that the bounces coming back from spam have anything to do with sending from your actual email account and email system. Do change that password, though, just in case. If a bad guy had your password, this will help to lock them out.

Enable two-factor authentication (also called two-step verification) if your email system supports it. It really helps to make your account secure. It's one of the best possible defenses against bad guys getting access to your account in the future. (They don't usually want access to your account just so they can shovel spam to millions of users-- they typically want it so they can spam your closest friends with a link to install malware and take over their computers. You don't want that to happen to your friends!)

Keep in mind that spammers rotate through faked sending email addresses often. Meaning, the avalanche you might be experiencing today will die down soon. The spammer will soon move on to their next target. Every time my address has been forged in spam, only a few bounces and weird messages came back to me. In the grand scheme of things, your email inbox will survive. And don't respond to any human replies; they will invariably be from people who aren't too savvy about how spam works, and they'll just want to pick a fight with you because they think you're a spammer. There's no reasoning with some people.

There's no need to change your email address. There really isn't such a thing as a blacklist of spammer email addresses out there, so the chances of long term damage to your personal sending reputation is probably nil. Somebody like Yahoo isn't going to block you just because somebody else sent a spam that purported to be from you.

If this mailbox is on a system you manage yourself, set up SPF (Sender Policy Framework) authentication so that you can tell ISPs which IP addresses legitimately send mail on your behalf. Some systems are smart enough to not send bounces back to you if they know that the true source of the mail (the spammer) isn't legitimately allowed to send mail using your domain name. And if you make it easier for ISPs to know that the mail you send is legitimately from your domain, you make it easier for them to more closely scrutinize (and then filter out) illegitimate mail.


  1. Hi,

    as I am really not in favour of this broken SPF "standard" (DKIM is much preferred), I want to propose another option for someone plagued by bounces for messages that he did never send:

    Add a cryptographic "x-Bounce-key" or similar header to all email you sent.

    If a bounce comes in, check the header key in the SMTP stage, and if it is missing or invalid, refuse the email with a clear error message such as "550 Invalid Bounce Key: You either stripped the original message headers or this email NEVER originated from here. BOUNCE REJECTED. Read:

    That prevents 100% of all bounces for forged messages plus it has the benefit of filtering some spam as well. And as of making email forgeries transparent, DKIM will do that without the headaches of SPF/SRS.


  2. I'm not a fan for introducing something new. I believe this would false positive, based on the number of strange NDRs I've seen out there in the world.

    I think it's insulting to call SPF broken. I think SPF works just fine. There are some things it does and some other things it doesn't do. Like with many things.


Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.