My mailbox is flooded with bounces from MAILER-DAEMON, help!
Problem: Your inbox has filled and/or is filling, with hundreds or thousands of "bounce" messages from MAILER-DAEMON, Postmaster, System Administrator, etc. If you examine the original messages, which are sometimes contained within (or attached to) the bounce, they are spam, and you didn't send them, and you've never heard of the people they were addressed to. The FROM address in the original message is the email address which receives the bounce messages. Your address and/or server may be blacklisted.
Explanation: A spammer is the most likely cause. Occasionally, the cause is a malicious attacker - but this is rare. The person responsible is forging his mail header so that it seems the spam comes from your domain. He does this because he thinks it will give him a better chance of having his spam delivered.
A side-effect of this is that you get the bounces, that is, the non-delivery reports (NDRs), which are sent to you by the servers the spam was sent to. The spammer either used a bad address, or was blocked, or for some other reason, delivery failed. These servers cannot tell that he forged his header, and so they treat his message the same as any other message that cannot be delivered - they send an NDR ("bounce message") back to the sender. Since he's used your domainname to send the mail, the NDRs are sent to you.
Note: the spammer is not trying to spam you, and probably isn't trying to attack you (although an attack by this method is not unknown, see joe-job). He's just using your address for his convenience. Also note that all you're seeing is the bounces, there are likely to be at least the same number of messages that were delivered successfully - you don't see those at all. And note that he probably won't keep forging mail in your name for long. This is because the more he does it, the more the address he's using gets blacklisted, and thus the less effective the spam becomes. So he'll move on soon enough.
The bounces you're seeing are collectively known as backscatter - they are fallout from the interactions of two or more third parties. No action on your part is required to be used in this way. Unless the spammer has your password (see below), your domainname was probably selected randomly.
Selecting a solution: The appropriate solution depends on the method the spammer is using:
- Method 1: If the FROM address in the original message lists YOUR OWN email address, the spammer is either a) forging mail from your email address,
or b) has the password to your account, and is sending spam using it. Solutions for this method:
- change the password on the account, and then secure the account:
- If using a web-based account such as Gmail or Yahoo, ALSO ensure to check and if necessary change your alternate contact email address. If someone had access to your account, they could have added their email address and thus will be able to recover your new password, even after you change it! Delete any addresses you don't recognise from your list of alternate contact email addresses. You should check all the settings in your account to make sure none have been tampered with. See your provider's help pages for detailed instructions. The relevant pages for Yahoo and Gmail:
- If using a regular account at your hosting provider or work, ALSO ensure to check your computers for malware.
- If you use the same password on other services, you should change your passwords on these other services too. Do not use the same password on multiple services.
- wait it out - sometimes it only happens for a few days - and delete the NDRs manually
- if the spammer persists, you may need to change your email address
- change the password on the account, and then secure the account:
- Method 2: If the FROM address in the original message lists SOMEONE ELSE at your domain, AND that email address IS VALID, the spammer is
forging mail from that email address. You are being forwarded mail for this other valid email address. Solutions for this method:
- wait it out - sometimes it only happens for a few days - and delete the NDRs manually
- create a rule to filter all inbound mail addressed to the spammed address to a folder (eg. Deleted Items) - and delete the NDRs manually
- if the spammer persists, you may need to delete the forward
- Method 3: If the FROM address in the original message lists SOMEONE ELSE at your domain, AND that email address IS NOT VALID, the spammer is
forging mail from that email address. You are using your catch-all mailbox. Solutions for this method:
- wait it out - sometimes it only happens for a few days - and delete the NDRs manually
- create a rule to filter all inbound mail addressed to the spammed address to a folder (eg. Deleted Items) - and delete the NDRs manually
- create a redirect for the spammed address, send it to /dev/null
- if the spammer persists, you may need to block your catch-all mailbox
Notes:
- Some providers include an error message which suggests your password is compromised. Change your password and secure your account if you see
a message like this in the NDR:
Error code 475: Suspicious activity was detected on your account
- deleting the NDRs manually: to make this easier, try sorting the mail by subject or sender
- filtering to a folder: This can be done using your email software (eg. Thunderbird). However it does mean you must download the mails, just to delete them, which is a waste of your resources.
- redirecting to /dev/null: Try this if the spammer persists. This will delete ALL mail for the redirected address - use with caution! You'll need to access your hosting provider's control panel, and create a redirect, and/or, need to contact your hosting provider for assistance. You may not be able to create a redirect to /dev/null. Contact your hosting provider for assistance in this case. Do not create a mailbox instead of a redirect. Creating a mailbox will cause the bounce messages to accumulate on your server, eating your diskspace and disk quota. The mailbox will eventually overflow, and cause NDRs to be sent to the server which originally sent you the NDR, thus perpetuating the backscatter.
- blocking the catch-all mailbox: This has consequences which should be considered first (see link for discussion). However this solution will work no matter what address the spammer picks. This solution requires accessing your hosting's control panel and/or contacting your hosting provider.
- You can verify where the mail is being sent from, by examining the first "received" line of the mail header (not forgetting that the "received" lines are in reverse order - the first "received" line is at the bottom of the list). The IP address listed is likely to be outside your network. This indicates that you are not sending the spam. If the IP address is in fact your own (eg. the mail is originating from within your network), change the password associated with that email account, and check the affected machine for malware.
- You cannot stop the NDRs being sent to you. The NDRs will only stop when the spammer stops sending mail that pretends to be from someone at your domain. The only exception to this is where the spammer is using your address because he has the password to your email account - if you change your password, this will block him, and stop the NDRs.
- You probably cannot stop the spammer (although it does happen). The spammer is probably delivering his messages via botnet, which he controls remotely and anonymously. Even if you managed to identify the botnet, unless he was incompetent he would remain anonymous. And even if you managed to identify him, he's probably in a far-away country, which has no extradition treaty with your country, lax cybercrime laws, and incompetent local law enforcement. To cap it all, even with an extradition treaty and all the rest, he's probably not committed an extraditable offence, and even if he had, the damage you've suffered would no doubt be considered relatively small compared to the amount required to actually extradite someone in the first place, particularly when you have the technical means to block him.
