This post explains why bloggers and other website owners may see large numbers of bounce messages for spam they didn't send in their domain-based email - i.e. email that uses their domain name as opposed to their Internet Service Provider (ISP). If you're just looking for the fix without the background, check the extended entry.
Lots of people who have their own domains and hosting get justifiably freaked out when they start receiving huge numbers of emails that seem to be bounce notifications for spam that looks like it was sent from addresses at their domain. Mostly these are autogenerated replies from other mail servers telling you the spam messages bounced. What unsettles people the most is that they never sent the original, so are afraid someone has hijacked their email or hosting account account.
In fact, these messages are simply the result of spammers making up addresses using your domain name to employ as fake return addresses when sending their crap. When the crap bounces, it bounces back to you because your domain has been spoofed as the sender.
This is NOT an indication of a problem with your email security. There's nothing you can do to stop spammers from inventing and using return email addresses that have been faked using your domain name (unless you've got some exotic technique for mind-controlling the spammers, in which case, fess up!) If you look at the bounce messages, you'll see that the return addresses are just arbitrary words put in front of @yourdomain.com, making it clear that these aren't your real addresses. So if they're made-up addresses, why do they bounce back to your real address?
Well, actually, they don't. By default, most hosting accounts are set up so that any email that comes in with an @yourdomain.com address will be forwarded to the default mail account. So if a message arrives for firstname.lastname@example.org, it will get routed directly to your inbox. If a message comes in for email@example.com, it will get forwarded to the firstname.lastname@example.org address as well.
There's a good reason for this behaviour. If someone were to accidentally send to email@example.com (a typo), then instead of bouncing, the message would get forwarded to your default address and could be sorted out from there. So what can you do about the mess of bounces that are cluttering your inbox?
If you're willing to give up the security of knowing that an accidentally incorrectly addressed message can still get to you, you can simply instruct your email handler to throw away any message that's not sent to a real, existing address. This means all those spam bounces will simply be discarded and you'll never see them. How do you tell your email system to dump this trash?
The first step is to decide exactly what action should be taken with each crap message. Your choices are to either bounce the message yourself, or to blackhole it. Blackholing is the most extreme, and means the offending message will simply disappear without notification to you or to whomever sent the message.
This is the most tempting solution because it means the crap message dies with you - it doesn't go on to bounce back back to another server that didn't request it either. This is great if the only messages being dealt with this way are guaranteed to be pure crap. BUT! This is very bad news for those messages that might be legit, but with an accidental error in the email address. Remember, no notification of failure will be sent, so if I sent the offer to hire you as my gourmet restaurant's food taster, but it went to firstname.lastname@example.org by accident, you're never going to see it, and I'm just going to assume you ignored me.
So the only time to use the blackhole is if you don't actually use your domain's email at all. In which case you know anything that comes in is crap and can safely be ignored. For everybody else, you want to set your system to bounce any message not sent to a legit address.
Hit the extended entry for step-by-step instructions on how to do this.
These instructions are specifically for hosting accounts that utilise cPanel for their administration interface (note, these instructions are specific to the setup at Mu.nu - generic instructions are noted at the end).
Log into the admin area (yourdomain.com/cpanel/) and double-click the icon for Mail. Then click the link for Default Address, followed by the link for Set Default Address. Once that page is open, you'll see the screen below:
To force unrouted mail to bounce, add :fail: no such address here to the second box, then click the change button. To cause all unrouted mail to simply disappear, enter :blackhole: instead. (Note the colons beginning and end.)
Non-Mu.nu versions of cPanel may look different depending on the skin and version in use, but you're looking for the Default Address screen. It may be available right from your main admin page. If your host doesn't use cPanel, look for the setting for your Default or Catch-All Address.