Customer getting bounces from email spams he did not send.


Well-Known Member
May 24, 2006
cPanel Access Level
Root Administrator
I'm at a real loss here and I'm hoping someone knows of something I haven't tried yet, because the problem is getting bad.

I have a customer whose email account is generating thousands of bounced "undeliverable" and "failed" messages for spam that he never sent. Someone is sending out emails as him, and it's not him doing it.

For example's sake, I will make up a fake domain and email address here to help explain what I mean and what I've done / checked so far:

Let's say my customer has "" hosted on my server and his email address is "[email protected]".

Spammers are sending out viagra / porn emails as "[email protected]", and my customer is receiving the bounces, warnings, and even threats from the victims of the spammer.

My server is secure, no open relays, and I have an SPF record in place on the customer's domain (SPF string used: v=spf1 -all , where xxx... are the IP address of my mail server).

Mailscanner is preventing the customer from having to deal with most of the messages, but they're coming in by the thousands each week and using server resources that I'd rather they didn't.

I checked mailwatch to view the messages actually sent by "[email protected]" (remember, that's not real) and none of the spam was ever sent from his account. He has sent 120 messages in the past month, all legitimate, yet thousands "viagra" etc... spams are bouncing back to him, and he's actually received direct threats / complaints.

Ultimately my biggest worry is that my server, with all the other customers on it, could get blocked / blacklisted, due to no fault of mine or my customer.

I called my data center and the tech basically told me:
- the SPF helps, but can't stop the spoofing
- there's nothing we can do other than to change his email address

I don't want to believe that. Is there ANY way to stop spammers from faking my customer's email address and sending out their junk as him?

Thanks very much for any thoughts / ideas!


Well-Known Member
Mar 13, 2004
Melbourne, Australia
cPanel Access Level
Root Administrator
Unfortunately, other than setting up a tight SPF record, there isn't actually a lot that can be done. You could also move his email to a challenge-response system (eg postini) off your server, which could help control things until it stops.

If you want to Google for more, this is called a "joe job".


Well-Known Member
Verifed Vendor
Jun 15, 2002
Go on, have a guess
Indeed. The bounces are also known as "backscatter" as something else you can search on. The best you can realistically do is to setup some email Filters for the bounces and ride out the storm. I doubt SPF would actually make much difference at all with regards the bounces, it would simply mean a few providers will mark it as possible spam to the recipients.


Well-Known Member
Feb 1, 2004
I have a similar problem... but....

How the "joe job" intruder knows a email address?
1) I never use the affected email account
2) only created for test proposes... I never get email from people in this account, and never give the email to anyone...
3) ??? how ?

Is this a cpanel/exim issue? a bug? a vulnerability to give all the accounts hosted in the server and email name accounts for spam use??... how happen this??

I really doesn't understand how can happen something like that.... I changed 2 times my server machine, and ISP provider, different IP address... etc...

Someone knows something about this problem?


Aug 10, 2005
- solution which helps in some cases: disable catch-all by setting the default e-mail to bounce, and not to an e-mail mailbox. The most of the time spammers use random addresses for your domain name, so catch-all helps a lot in this case.

- it is possible to check the existence of an e-mail address, just by trying to send an e-mail to an e-mail address on a particular server, but not actually 'send' the e-mail - just probing. It is possible, if your e-mail address is generic, 'someone' probed your e-mail domain with some generic e-mail addresses to check for a valid e-mail address.