Ask Al: Help! My email address is being used in spam! What do I do? (Updated for 2022)

Evan writes, "Hi Al, My email address has just been compromised and now I am receiving hundreds of System Administrator and Mail delivery failure notices sent to my inbox from all those poor people who have received unwanted spam from my address. I noticed your name on the web when I went searching to find out how and if I can stop this happening and was hoping that you might have some ideas other than changing my email address?"

Hey Evan, I'm sorry to hear you're going through that. But don't despair, this soon will pass. In the mean time, here's what you should do.

Change your email password, just to be safe. All throughout history, it's been pretty unlikely that the bounces coming back from spam have anything to do with sending from your actual email account and email system. Do change that password, though, just in case. If a bad guy had your password, this will help to lock them out.

Enable two-factor authentication (also called two-step verification or multi-factor authentication) if your email system supports it. It really helps to make your account secure. It's one of the best possible defenses against bad guys getting access to your account in the future. (They don't usually want access to your account just so they can shovel spam to millions of users-- they typically want it so they can spam your closest friends with a link to install malware and take over their computers. You don't want that to happen to your friends!)

Keep in mind that spammers rotate through faked sending email addresses often. Meaning, the avalanche you might be experiencing today will die down soon. The spammer will soon move on to their next target. Every time my address has been forged in spam, only a few bounces and weird messages came back to me. In the grand scheme of things, your email inbox will survive. And don't respond to any human replies; they will invariably be from people who aren't too savvy about how spam works, and they'll just want to pick a fight with you because they think you're a spammer. There's no reasoning with some people.

There's no need to change your email address. There really isn't such a thing as a blacklist of spammer email addresses out there, so the chances of long term damage to your personal sending reputation is probably nil. Somebody like Yahoo isn't going to block you just because somebody else sent a spam that purported to be from you.

If you can, implement DMARC. If you own your own email domain name, and that's the domain being forged in the spam, it's time for you to implement DMARC! DMARC, which stands for "Domain-based Message Authentication, Reporting & Conformance," is an email authentication, policy, and reporting protocol that domain owners can and should use to help make it much harder for bad guys to send mail pretending to be from your domain. Read more about why you should implement DMARC here.

Post a Comment