My account was caught sending out spam


Monday, March 5th, 2018 - General

Have you received an email from us stating that your account has been used for spamming? That message may have looked like:

A routine security check on the server found that your account – youraccount.com – was being used to send out spam through the server.

Someone is using SMTP authentication with the account – email@youraccount.com – to relay out questionable mail through the server.

What does this message mean?

This means that someone (probably not you, right?) has logged into the server using the email@youraccount.com account information to send out spam. We are assuming that this person wasn’t really you (otherwise, you’d be the spammer and we’re going to err on the side that it wasn’t really you) so this means that spammers somehow got their hands on the password for email@youraccount.com.

This means you likely have an information leak some where. Information, such as the password to this email account (and potentially other information that may not be affecting your web hosting account with us) is being leaked out. If you don’t stop the source of that leak, then information will continue to leak out.

How did they get their hands on the password for email@youraccount.com? We don’t know. And by that we mean that we really don’t know – we haven’t been looking over your shoulder every where you have used this account or what type of password you are using.

One question we often get asked regarding these incidents is: Why didn’t you just block the IP address of the individual sending out the spam? Well, the issue isn’t necessarily WHO is sending out the spam. The issue is that your information was compromised. The IP address isn’t the common point of entry. Often times the spammers are connecting from 100s of different IP addresses, and even if we did block those IPs, they’d just connect from others. The common point of entry is the compromised email account. That is why the password to the email account has to be changed and why IP addresses are not directly blocked.

Typically hackers and spammers get your password information by one of three different ways:

• Malware, viruses, or keyloggers. Your computer or device may be infected with something that is leaking out your password information. If you have malware or a keylogger on your computer (or mobile phone, tablet, or other device) then that malware can be transmitting your password information for all of the accounts you access back to hackers and spammers. This is also how identity theft usually starts. To resolve this, you need to identify which computer or device is checking this account and which computer or device has the malware and keylogger on it, and remove the malware or keylogger. Then you need to change the password for your email account and any other account for any other business you may have logged into on this device.

• Insecure network or network probing. If you check your mail or use your computer, phone, or tablet on any public wifi or insecure network, then you are potentially leaving your data vulnerable to hacking from others on that network. Someone else sharing that public wifi hotspot may be listening in on your connection and stealing password information as you transmit it. To resolve this, you need to identify what sources of insecure networks or wifi that you are using and either secure them or stop using them and then change your email account password and any other account for any other account for any other business you may have logged into on these networks.

• Using weak and insecure passwords. We covered this a bit in detail in a previous post. Bottom line, you are responsible for choosing strong and secure passwords for your accounts. If you are using simple and easy to guess passwords for your account – then you should expect to be compromised – and you need to accept some responsibility for having your account hacked, compromised, and used to send out spam. To resolve this, you need to choose strong and secure passwords for all of your accounts.

These are just some of the scenarios that can explain how your password was compromised. It is not a conclusive list.

The bottom line is – we detected spam being sent out from your account. We are assuming that it is not you sending out the spam, so we draw the conclusion that your password has been compromised. We do not know how the password was compromised, nor can we know how the password was compromised. But you need to figure out how the password was compromised and then resolve whatever the situation was that allowed the password to be compromised. Doing nothing means that your account will probably just get compromised again and we may have to suspend your account if that happens.