If your inbox is suddenly full of bounce notifications for messages you never sent, or contacts are telling you they received spam from your address, two very different things may be happening. Someone may have compromised your account and is sending mail through it, or someone may be spoofing your address from another server. This article explains how to tell the difference and what to do in each case.
Spoofing vs. compromise: the key difference
Both scenarios look similar from your inbox, but the response is completely different.
| Scenario | What is happening | What it means |
|---|---|---|
| Compromise | An attacker has your password and is sending mail through your account using the real Exact Hosting outbound servers. | Your credentials, computer, or both are at risk. You must change your password and scan for malware. |
| Spoofing | An attacker is forging your address in the From field of mail they send from their own server. They do not have access to your account. | Your account is safe. There is little you can do beyond waiting it out, but you should still review your security practices. |
Step 1: Check the headers of a bounce or sample message
Open one of the bounce notifications or sample messages and view the full headers. See Viewing Email Message Headers for how to retrieve them in your client.
Look for a Received line that looks similar to this:
Received: from [11.22.33.44] (11.22.33.44.servername.com [11.22.33.44])
(Authenticated sender: sender@senderdomain.com)
by mail.exacthosting.com (Postfix) with ESMTPA;
Fri, 4 Jul 2014 19:28:23 +0000 (UTC)Warning: If you see Authenticated sender followed by your own email address on a line added by an Exact Hosting server, the message really was sent from your account. Your account is compromised. Go to Step 2.
If there is no Authenticated sender line for your address, or the message was sent from a server that is not yours, you are being spoofed. Go to Step 3.
Tip: If you are not comfortable reading headers, forward the original message and a sample bounce to Exact Hosting Support. We can confirm which scenario you're in.
Step 2: If your account is compromised
Move quickly. The attacker can keep sending until you cut them off.
- Run a full antivirus and anti-malware scan on every device that uses the account. A compromise often starts with malware on your computer.
- Change your email password to a new, unique, strong password. Use a password manager if possible. Changing the password disconnects any active session the attacker has.
- Sign out of all sessions and apps. Re-sign in to mobile devices and mail clients with the new password.
- Review your account for unauthorized changes. Check for new forwarding rules, autoresponders, or aliases the attacker may have added.
- Notify your contacts. Let them know about any suspicious mail they may have received from your address.
Warning: Do not change your password from a device you suspect is infected. Clean the device first, or use a known-clean device to change the password.
Step 3: If you are being spoofed
Spoofing is harder to stop because the attacker is not using your account at all. They are forging your address from somewhere else on the internet. There is no way to fully prevent it, but you can reduce the impact.
- Set up SPF, DKIM, and DMARC. These DNS records tell receiving servers that mail not sent by you should be rejected. See Setting Up SPF Records for Exact Hosting Email and Understanding Gmail, Microsoft, and Yahoo DMARC Requirements for Hosted Email.
- Create a temporary filter for bounce notifications. Most spoofing campaigns last a week or two. A filter that moves bounce messages to a folder keeps your inbox usable.
- Avoid posting your address publicly. Use an obfuscated form, such as name (at) example (dot) com, or a contact form instead.
- Consider a throwaway address for low-trust signups. Use a free secondary address for mailing lists, contests, and forms; reserve your primary address for trusted contacts.
- Investigate the source IP. Bounce messages sometimes contain the originating IP. You can report it to the responsible ISP, but the spammer can move to another address quickly.
How spammers find your address
Spammers harvest addresses from many places:
- Website contact pages. Public addresses are scraped continuously.
- Domain WHOIS records. Use WHOIS privacy whenever your registrar offers it.
- Mailing lists. Some are legitimate; others sell or leak addresses.
- Forum posts and social media. Any address posted online is at risk.
- Compromised contacts. A friend's infected device can leak their entire address book.
Ongoing email security practices
- Change your password regularly. Especially after any suspected compromise.
- Scan your devices for malware regularly. Once a week is a reasonable cadence.
- Limit where you publish your primary address. Use a secondary address for sites that don't need your real one.
- Use a strong, unique password. Don't reuse passwords across services.
- Keep software up to date. Operating system, browser, mail client, and security tools.
Next steps
- Retrieve and read the message headers. See Viewing Email Message Headers and Understanding Email Headers.
- Block future spoofing. See Setting Up SPF Records for Exact Hosting Email and Understanding Gmail, Microsoft, and Yahoo DMARC Requirements for Hosted Email.
- Improve deliverability after cleanup. See Exact Hosting Email Deliverability Best Practices.
Questions? Contact Exact Hosting Support.
Was this article helpful? If not please submit a request here
How helpful was this article?
Thanks for your feedback!