Someone Spoofed my Email Address

Posted on 2006-05-24
Last Modified: 2007-12-19
I have a user on my exchange server whose e-mail address is being spoofed.  All we receive back are bounced e-mails that can't be delivered.  What can I do to stop this?
Question by:drstedim
    LVL 30

    Expert Comment

    what's the exact NDR message?
    LVL 97

    Accepted Solution

    Greetings, drstedim !

    You can change the user email address, and then blocked the old address from being delivered.

    If you cannot change the user email address, then you have to wait out the spam attack.  How many bounced email are you using?  Usually spam attack ends within 3 days to a week.

    Best wishes!

    Author Comment

    This has been going on for about 2 weeks.  The user is getting about 60,000 emails a day all stating that the recipient isn't valid or the spam filter has blocked the e-mail ... or something along those lines.  Emails are coming from 1000's of servers in many different languages.  The user is in Sales and doesn't want to "lose business" due to an email address change; although, I'd imagine 60,000 e-mails a day isn't helping his cause much either.  Here are some examples of message that are coming through:
    ****** Message from InterScan Messaging Security Suite ******

    Sent <<< RCPT TO:<>
    Received >>> 550 no such recipient

    Unable to deliver message to <>.

    ************************     End of message     **********************
    Example 2:
    Your message to:,
    was blocked by our Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED:

    Subject: Re:
    Example 3 (this one seems to have some useful info, but I don't know what to do with it):
        **      THIS IS A WARNING MESSAGE ONLY      **

    The original message was received at Wed, 24 May 2006 23:01:41 +0200 (CEST)
    from []

       ----- Transcript of session follows -----
    <>... Deferred: Connection refused by
    Warning: message still undelivered after 2 hours
    Will keep trying until message is 3 days old
    Example 4:
    ****** Message from InterScan E-Mail VirusWall NT ******

    Sent >>> RCPT TO: <>
    Received <<< 550 unknown user <>

    Could not deliver mail to this user.
    *****************     End of message     ***************
    Example 5:
    We have received the message sent to email address:

    however, this address is not a valid subscription or removal address on
    this system. Please check the address and try sending your message again.

    Thank you.

    I don't know if this helps at all, but thanks for looking!!!

    LVL 30

    Assisted Solution

    looks like he got SPAM bombed.

    The best way out is to get a NEW email address, rather than fight it, let it go, it will be unproductive.
    LVL 97

    Expert Comment

    Spam attack will subside after awhile, if you want to continue using the address.
    LVL 10

    Expert Comment

    I have the exact same problem with one of my domains and their is nothing you can do about it now.

    Best advice for the future is to use email addresses that aren't likely to be generated by a bot.

    Things like sales@  dave@  info@ are examples that are likely to get this sort of problem, instead setup accounts such as wiggetsales@     dave.theman@     wiggetinfo@

    Educate staff not to use important email addresses for entering competitions, signing up to forums etc, instead get them to use yahoo or hotmail (in other words disposable) email addresses for such things. Reserve the important email address for clients, or printed adverts. Don't publish the email addresses on your web site where they can be easily harvested.

    The spam is bad, the auto responses from spam filters and mail servers can actually cause more "spam" than the original spam. If only admins would turn off such features.

    It is amazing so many people don't realise how easy spoofing sender email addresses is, they are quick to blame the return email address for the spam without finding out the facts, I have a number of emails complaining about "my" spam.
    LVL 13

    Expert Comment

    It looks like spam.

    Can you post the header of the mails.

    Header contains all the information about the origin of the mail and list of all the servers it had gone before being delivered.

    We, receive many spams, where the senders domain is same as ours. This is very common practice by spammers to use recipents domain name in the senders address. If your antispam server is not configured properly then these mails can get inside, as senders address seems trusted.

    Install a good antispam server, if you not have already.

    Try Spamassassin with Amavis and Postfix. It runs on linux and its free.


    Expert Comment

    You may want to try setting up Blocking lists if you are running an exchange server.  Check out the following links:

    SBL allows you to connect to a database which lists verified spammer ip addresses.  You can then block anything from those addresses.

    XBL is another blocking list that should be used in tandem with SBL.

    Another link is the CBL or composite blocking list, but you should not need this if you use XBL since XBL queries the CBL database.

    Hope this helps deter any future spam issues and may also help curb your current issue.
    LVL 3

    Expert Comment

    My e-add has been on the web since 1994, so I have been spoofed often. If you're visible, there's not much you can do about it, beyond the measures outlines above.

    I am, however, concerned that innocent people connected to me might get spam with a virus, etc from my spoofed e-add. For that reason, our whole organization tries to always put a unique identifier in the subject header, something spammers wouldn't ordinarily think to use that also shows we are connected to the organization.

    Good luck to your sales person.

    Author Comment

    He is biting the bullet and the e-mail address will be changed.  Thanks for all your help and advice!
    LVL 30

    Expert Comment

    cool. thankyou!

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    What do you call the following portion of a Web Application 12 55
    Percentage 6 44
    Best Graph 2 36
    internet traffic 2 28
    EE introduced a new rating method known as Level, which displays in your avatar as LVL. The new Level is a numeric ranking that is based on your Points. This article discusses the rationale behind the new method and provides the mathematical formula…
    Stuck in voice control mode on your Amazon Firestick?  Here is how to turn it off!!!
    The Bounty Board allows you to request an article or video on any technical topic, or fulfill a bounty request to earn points. Watch this video to learn how to use the Bounty Board to get the content you want, earn points, and browse submitted bount…
    Notifications on Experts Exchange help you keep track of your activity and updates in one place. Watch this video to learn how to use them on the site to quickly access the content that matters to you.

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now