How to deal with compromised mailboxes

This guide will explain how to respond if a mailbox is compromised for customers using LCN web hosting, WordPress hosting and Email hosting.

How do you know if your email account has been compromised?

You might find when logging in to your mailbox, that lots of undeliverable, bounce-back messages have been delivered to your account for messages that you’ve not sent.

It could also mean that your email address is being spoofed; this means that a spammer is sending email with forged headers to appear to have originated from your email address. This is a tactic used by spammers for various reasons:

  • As an attempt to evade spam filtering by sending mail with a legitimate from/reply-to address.
  • To prevent bounce-back notifications being returned to the spammer's own mailbox.
  • It could also be a result of a friend or colleague’s mailbox being hacked and then targeted with spam mail from addresses in their contacts list. When the message is rejected by spam filters, the bounce-back is returned to the reply-to address included in the forged headers of the spam mail.

How to identify if your mailbox is compromised or if your address is being spoofed?

It should be possible to identify this by looking at the message headers included in any bounce-back emails being returned to your mailbox. These headers will provide details of the server/IP address that the messages have originated from.

We would recommend contacting the LCN support team, for any help with checking this, so that appropriate action can be taken to secure your mailbox.

What to do if your mailbox is compromised

If your mailbox has been compromised, the first thing to do is to reset your email address password .

However, before resetting your email password, it is important to run virus/malware scans on any computers used to access your account.

If you’ve used the same password for any other online accounts, make sure that these accounts are also updated with a new password.

What to do if your email address is being spoofed

Unfortunately, there isn’t much that can be done to stop email spoofing from happening, but there are measures that you can take to make sure that other mail providers can identify and block these messages as spam. One step you can take to help make sure that only genuine messages sent from your address will be accepted by other mail providers is to configure a Sender Policy Framework (SPF) record for your domain.

SPF records specify which mail servers can send email on behalf of your domain. When an email is received, the receiving mail server uses the SPF record to check that mail is being sent by an authorised mail server, if not the mail can be rejected as spam.

The following page will provide details on how to create an SPF record: https://www.lcn.com/support/articles/how-do-i-create-an-spf-record

By default, the SPF policy for domains hosted with LCN is set to neutral – this is applied in case you need to send outgoing mail from any servers other than the LCN mail server.

You can change the SPF policy for your domain to a strict policy – this will specify that only servers included in the SPF record can send mail from addresses at your domain.

This is applied by changing the flag at the end of the record to: -all

If you are not sure how to configure the SPF record for your domain we’d recommend you get in touch with the LCN support team.

Check out some of our related guides

Need a hand? Search over a hundred step-by-step support guides