Problem: Your inbox has filled and/or is filling, with hundreds or thousands of "bounce" messages from MAILER-DAEMON, Postmaster, System Administrator, etc. If you examine the original messages, which are sometimes contained within (or attached to) the bounce, they are spam, and you didn't send them, and you've never heard of the people they were addressed to. Nonetheless, the original messages list someone at your domain in their FROM fields, although you've never heard of that person either (example: ABCreallyXYZ@yourdomain.com). The bounce messages are addressed to this person.

Note: if the address being used is an address you actually use, rather than the randomised address used in the example above, see the final note at end.

Solution: filter all inbound mail addressed to ABCreallyXYZ@yourdomain.com to the trashcan

Alternative solution I: create a redirect for ABCreallyXYZ@yourdomain.com, send it to /dev/null

Alternative solution II: block your catch-all mailbox

Background: What's happening here is a spammer is sending spam using the address ABCreallyXYZ@yourdomain.com in his FROM field. He's forging his "mail header" so that it seems the spam comes from your domain. He does this because the address ABCreallyXYZ@yourdomain.com is not on any anti-spam blacklists, he knows this because he made it up. If the address is not blacklisted there's more chance his spam will be delivered.

A side-effect of this is that you get the bounces, that is, the non-delivery reports (NDRs) issued by the servers he delivered his spam to. He either used a bad address, or was blocked, or for some other reason, delivery failed. These servers cannot tell that he forged his header, and so they treat his message the same as any other message that cannot be delivered - they send an NDR back to the sender. Since he's used your domainname to send the mail, the NDRs are sent to you.

Finally, you see mail for ABCreallyXYZ@yourdomain.com because you're looking at your catch-all mailbox.

Note, he's not trying to spam you, and probably isn't trying to attack you (although an attack by this method is not unknown, see joe-job). He's just using your address for his convenience. Also note that all you're seeing is the bounces, there are likely to be at least the same number of messages that were delivered successfully - you don't see those at all. And note that he probably won't keep forging mail in your name for long. This is because the more he does it, the more the address he's using gets blacklisted, and thus the less effective the spam becomes. So he'll move on soon enough.

The bounces you're seeing are collectively known as backscatter - they are fallout from the interactions of two or more third parties. No action on your part is required to be used in this way, and your domainname was probably selected randomly.

Solution details: Of the solutions presented, the first is the simplest to implement, as it can be done using your email software (eg. Outlook Express). However it does mean you must download the mails, just to delete them, which is a waste of your resources. If the spammer persists, you can nuke him with the first alternative solution. Although you'll need to access your hosting's control panel, and create a redirect, and/or, need to contact your ISP for assistance. The third solution is quite drastic, and has consequences which should be considered first. However this solution will work no matter what address the spammer picks. The other two solutions will only work for the specific address he's using right now. The next time this happens, using either of the first two solutions, you'll need to make another rule or redirect. However this may not happen again for a while. The third solution also requires accessing your hosting's control panel and/or contacting your ISP.

Other notes:

• You may not be able to create a redirect to /dev/null. Contact your ISP for assistance in this case. Do not create a mailbox instead. This will cause the bounce messages to accumulate on your server, eating your diskspace and disk quota. The mailbox will eventually overflow, and cause NDRs to be sent to the server which originally sent you the NDR, thus perpetuating the backscatter.
• You cannot stop the messages being sent to you. The messages will only stop when the spammer stops sending mail that pretends to be from someone at your domain.
• You probably cannot stop the spammer (although it does happen). The spammer is probably delivering his messages via botnet, which he controls remotely and anonymously. Even if you managed to identify the botnet, unless he was incompetent he would remain anonymous. And even if you managed to identify him, he's probably in a far-away country, which has no extradition treaty with your country, lax cybercrime laws, and incompetent local law enforcement. To cap it all, even with an extradition treaty and all the rest, he's probably not committed an extraditable offence, and even if he had, the damage you've suffered would no doubt be considered relatively small compared to the amount required to actually extradite someone in the first place, particularly when you have the technical means to block him.

Final note:

If the spammer does not use a random address, but instead uses an address you use, the following notes apply:

• The spammer is either trying to leverage the fact that your address may be whitelisted (unlikely), OR he is trying to have your address blacklisted (see joe-job).
• You cannot use either of the above alternative solutions, as these will delete all mail addressed to this address, which may include legitimate mail.
• You have little recourse but to use the first solution, and then delete the NDRs manually (try sorting by subject or sender).
• Your address may be blacklisted.
• If the spammer persists, you need to stop using that address.
• If you have to stop using that address, you will have suffered measurable loss, so if you ever find the spammer, you can sue him. You may wish to archive the NDRs, so you can prove your case.