Receiving 100s of unexpected 'mail delivery returned' emails
Discussion
Morning,
In the last few days, I have been receiving many 100s of 'mail delivery returned' bounces for emails I have not sent.
Now I understand that this is often a virus, but what is puzzling me is that the returned emails are coming to postmaster@"mydomain".com, and this is not a mailbox that is valid in my domain. They are thus being routed to the default mailbox in my domain.
Standard Windows virus checker finds nothing, and I am assuming someone is somehow spoofing my postmaster@ email address as the sender, rather than a virus sending them from my PC.
Anyone got any ideas if I can do anything here, or how to double check it is not a local virus?
Thanks,
Martin.
In the last few days, I have been receiving many 100s of 'mail delivery returned' bounces for emails I have not sent.
Now I understand that this is often a virus, but what is puzzling me is that the returned emails are coming to postmaster@"mydomain".com, and this is not a mailbox that is valid in my domain. They are thus being routed to the default mailbox in my domain.
Standard Windows virus checker finds nothing, and I am assuming someone is somehow spoofing my postmaster@ email address as the sender, rather than a virus sending them from my PC.
Anyone got any ideas if I can do anything here, or how to double check it is not a local virus?
Thanks,
Martin.
I had similar last year. Bounce backs to our legitimate email addresses. Changed the password of all email accounts on the server and it fixed it.
Our passwords foolishly used to follow a similar sort of pattern so, at first, the Mail Delivery Returned emails were coming to matt@. I’d change Matt’s password and all would be quiet for a few hours and it would be will@ so they were systematically being cracked it seemed. Then changed the lot to unique random passwords and (touch wood) it’s been fine since.
Our passwords foolishly used to follow a similar sort of pattern so, at first, the Mail Delivery Returned emails were coming to matt@. I’d change Matt’s password and all would be quiet for a few hours and it would be will@ so they were systematically being cracked it seemed. Then changed the lot to unique random passwords and (touch wood) it’s been fine since.
What's probably happening is that someone is sending bulk emails using their own server, but with your address (or an address on your domain) as their "from" address. When they bounce because the receiving email address doesn't exist, the bounce message is sent to the from-address, and if it doesn't exist, I believe that will go to the "postmaster" address for your domain, whatever that is. May easily be nothing at all to do with your passwords or your mail server being hacked, just someone with their own SMTP server.
Thanks for the replies all, and my apologies for the delayed reply. I wanted to see what worked before reporting back so it may help others in future.
Alas the solution is not yet clear. I called my hosting provider (123-Reg), and they confirmed that they were seeing lots of spam traffic from my domain. So, I changed the passwords. This has slightly reduced, but not actually stopped the returned bounce emails - now 24 hours later.
So, I think either droopsnoots suggestion that they are simply using my domain as the 'from' address is correct, or there is a lag on the destination email servers processing the mail returns and it will stop completely shortly, once the password change effect comes in.
Juice's suggestion about DKIM/SPF sounds intriguing, and I need to do a lot more reading to understand this more. Looks like 123-Reg are happy to implement this, but looks like I need to somehow procure a provider for a DKIM record - all new to me.
Martin.
Alas the solution is not yet clear. I called my hosting provider (123-Reg), and they confirmed that they were seeing lots of spam traffic from my domain. So, I changed the passwords. This has slightly reduced, but not actually stopped the returned bounce emails - now 24 hours later.
So, I think either droopsnoots suggestion that they are simply using my domain as the 'from' address is correct, or there is a lag on the destination email servers processing the mail returns and it will stop completely shortly, once the password change effect comes in.
Juice's suggestion about DKIM/SPF sounds intriguing, and I need to do a lot more reading to understand this more. Looks like 123-Reg are happy to implement this, but looks like I need to somehow procure a provider for a DKIM record - all new to me.
Martin.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff