In this case, my friend (the person experiencing this pain) owns their own domain name. What's happening here is that spammers are forging email addresses at their domain, using them as from addresses for their unwanted, garbage spam runs, so that bounces back from the spam come to them, because the spammer doesn't care about or want to process bounces.
The good news is, as I mentioned all the way back in 2013, is that spammers don't tend to fixate on one domain name or email address forever, so they'll probably move on to annoying somebody else shortly. But there are a few things you can do, as a domain owner, to help minimize the chances of having to receive these unwanted bounces:
- Implement a Sender Policy Framework (SPF) DNS record for your domain name, specifying the IP addresses that are meant to send mail for your domain. Set it to "dash all" -- you want ISPs to know that they should be free to filter mail more harshly if it fails SPF validation checks.
- Implement DKIM for your email sends. Even at the SMB level, most mail platforms provide instructions on how to configure things so that your email sends will all be authenticated via a DKIM signature. If you can't easily do this, SPF is quite likely "good enough" -- but if you can implement DKIM, you should. In some cases it's going to provide more robust email authentication compared to SPF. (I could spend another six pages diving into why I think that's the case, but in the interest of helping you move on with your life, I'll spare you.)
- Implement DMARC. DMARC can be a bit scary in that you have to make sure all of the email you send legitimately is authenticated with SPF or DKIM. But, especially at the SMB level, you can do this. It's not hard, and don't let yourself be scared -- there are tools (like the colorful Mail Tester) that will help you test your email authentication settings to make sure you've got it right. But the key here is that enabling DMARC, with a restrictive policy like p=reject, tells ISPs to block mail that purports to be from you, but doesn't pass SPF or DKIM. You don't HAVE to work with a DMARC monitoring partner to enable DMARC -- you can publish a TXT record for _dmarc.(your domain) that contains nothing more than "v=DMARC1; p=reject;" (without quotes) and that'd do it.
DMARC is the key there. Turning that on means your domain name is no longer going to be useful to deliver spam to ISPs (like Gmail) that will block mail that fail DMARC. It makes your domain name much less palatable as an unauthorized spam sending domain.
Bonus tip: If you own your own domain name and use it for email with something like Google Workspace, there's another setting you should look for and configure: The wildcard or catch-all email setting. It can be handy (and quite useful) to configure your email service to accept mail to any address at your domain -- for example, it can be used to create custom email addresses for different registration forms -- give irs@yourdomain to your accountant and bestbuy@yourdomain to the electronics retailer, so you can track usage and/or turn off an address later, if you want. Unfortunately, if you leave "catch-all" forwarding on, that means if a spammer makes up the address ihateyourguts@yourdomain and sends a bunch of spam, those bounces are going to come back to the "ihateyourguts" address and end up in your inbox. If you turn off the catch-all, that puts a stop to that. I know, it's a bummer to turn off the easy custom address ability, but it's something to consider -- weigh the plusses and minuses of being able to receive mail at any address at your domain, versus the unintended side effects of receiving unwanted "backscatter" bounces.
I helped my friend implement all of these -- including disabling "catch-all" email forwarding (while helping them build a manual list of email aliases to continue forwarding to their main inbox) -- and we think it helped. It's not like we did a scientific study, but the bounces dropped off and disappeared pretty quickly. I think the spammers moved on to greener pastures.
If you're new to all of this and wondering what SPF, DKIM and DMARC DNS records look like, here are the ones for spamresource.com: SPF, DKIM, DMARC. The SPF record contains the IP addresses of a couple of servers I own as well as an include showing that I utilize Google Workspace. The DKIM record (called a DKIM public key) is a DNS string provided by Google Workspace's DKIM configuration tool, and the DMARC record is just a very simple "tell ISPs to reject it if it doesn't pass authentication."