FML, I Didn’t Send That! What To Do If Spam Gets Sent From Your Account

There are only a couple things worse than mall shopping on Christmas Eve.

1. Your holiday party getting crashed by really bad guys

2. Your account getting compromised by a malicious spammer

For number 1, there’s Bruce Willis.

For number 2, I’ve written this guide for you.

Your team probably talks about security all year round. You follow the rules and do everything by the books because, if you don’t, the hackers will come and attack everything you’ve ever loved and Bruce Willis won’t be there to save you.

But all it takes to ruin what you’ve worked so hard to build is someone leaking your API keys or SMTP credentials.

Occasionally, we get support tickets from customers that say something along the lines of, “Hey, I didn’t send this traffic. What happened?” Most of the time, we can do a quick search on GitHub and find the keys leaked in a script. It sucks, but it does happen and you are not alone.

Once you know a spammer has gained access, it’s time to take action.

What to Do If You’ve Been Compromised

The first thing that you need to do is cut access to these spammers. As an admin, you’ll need to reset your account API keys and SMTP credentials for any domain that seems to have issues. The faster you do this, the better off you’ll be.

Now that you have new keys and credentials, it’s time to check how much damage was done. Just like after the holidays, once the chaos is over, you’ll have some cleaning up to do.

Unfortunately, because the hackers sent out spam messages that were authenticated with your actual domains/dedicated IPs, you may face negative consequences.

The most commonly seen issue is your IP becoming blocklisted. This can happen on the day the unauthorized send happened or a few days later. On the days that follow, you’ll receive a lot of spam complaints, so be prepared.

If you find yourself on a blocklist, here’s what you need to do to get delisted. As you know, not all blocklists are created equal and the majority won’t impact the delivery of your emails, so it’s best to quickly resolve the listings that matter before focusing on the less utilized blocklists.

How to Prevent Future Leaks

There are a number of things that could have contributed to your credentials becoming compromised. For some general advice on running your infrastructure in a secure configuration, you can read this comprehensive security guide we put together.

As mentioned above, when hackers send spam with your credentials, it’s usually because your sensitive information got leaked in a public script. You’ll need to make sure only the right people can read your API keys. Luckily, with Mailgun, you can restrict access to your API keys and SMTP credentials by assigning specific roles to your users. The last thing you want is a well-intentioned non-dev sharing the keys without knowing what purpose they serve.

We also recommend making sure all your administrators have two-factor authentication configured. 2FA can be a serious pain in the ass, but it’s worth it.

If your account got compromised and you need some additional help, contact our support team. We’re working around the clock, including holidays, to answer your questions.

And if you want additional peace of mind, Mailgun’s Managed Service might be a great fit for your email program. We partner you up with one of our experts who will proactively monitor your account and advise on best practices. Click here to learn more.