If your server is actively being used to send spam, your domain reputation is being destroyed in real time. Speed matters here. Don't wait until morning.

Signs your mail server has been compromised

What to do in the first hour

1
Cut outbound mail immediately

Block outbound SMTP (port 25) at the firewall level right now. Yes, this stops your legitimate email too — but it also stops the bleeding. A temporary disruption is far less damaging than thousands more spam messages going out under your domain.

2
Flush and inspect the mail queue

Check how many messages are queued. If it's hundreds or thousands of messages to domains you don't recognize, your server is open-relaying. Flush the queue and document what was in it — you'll need this for the post-mortem.

3
Change all mail account passwords immediately

If an account was compromised via stolen credentials, changing passwords kills the attacker's access. Do every account — not just the ones you think were affected. Force password resets for all users.

4
Check your server's relay configuration

Open relay is the most common cause of a hacked mail server. Your server should only accept and forward mail for your own domains. If it's configured to relay for anyone, that's the hole. This needs to be closed before you restore mail service.

5
Review authentication logs

Look at your mail server's auth logs for the last 48–72 hours. Look for logins from unexpected IP addresses, repeated failed authentication attempts followed by a success, or accounts that sent an abnormally high volume of email.

6
Submit blacklist removal requests

Check MXToolbox or MultiRBL to see which blacklists your IP has been added to. Most allow you to submit a removal request — but only do this after you've fixed the underlying problem, or you'll just get blacklisted again immediately.

After the fire is out — the full recovery

Stopping the immediate bleed is step one. The full recovery takes longer and involves:

How did this happen?

The most common causes we see:

Open relay misconfiguration

Your server was configured to accept and forward email from anyone on the internet — not just your own domains. Spammers scan for open relays constantly and exploit them within hours of discovery.

Stolen credentials

A user's email password was weak, reused from another breach, or obtained via phishing. The attacker used those credentials to authenticate and send spam as a legitimate user on your server.

Outdated mail server software

Unpatched Postfix, Exim, or other mail server software with known vulnerabilities. Exim in particular has had critical remote execution vulnerabilities that were actively exploited.

Compromised web application

If your mail server also hosts a website or web application, a vulnerability in that application (a WordPress plugin, for example) can give attackers a foothold on the whole server.

What about my domain reputation?

This is the part that takes the most time to recover. Major ISPs and spam filter networks track sending behavior over time. Even after you've fixed the technical problem, you may find your emails still landing in spam for weeks.

The recovery strategy involves sending clean, low-volume, authenticated email consistently over several weeks while monitoring your reputation scores. There's no shortcut — but it does recover.

Don't restore full email volume immediately after fixing the issue. Start small — send to engaged contacts who you know will open your emails — and ramp up over 2–3 weeks. This signals to mail providers that you're a legitimate sender again.

The bottom line

A compromised mail server is serious, but it's recoverable. The key is moving fast in the first hour to stop the damage, then doing a thorough cleanup before restoring service. Skipping steps in the cleanup means getting hacked again — usually within days.

If you're in the middle of this right now and need someone who's handled it before, we're available. Include "EMERGENCY" in the subject line and we'll prioritize your message.

Server compromised right now?

Email us with "EMERGENCY" in the subject line. We respond to server emergencies fast.

Contact Emergency Support