If your server is actively being used to send spam, your domain reputation is being destroyed in real time. Speed matters here. Don't wait until morning.
Signs your mail server has been compromised
- You receive bounce messages for emails you never sent
- Contacts tell you they're getting spam from your email address
- Your mail queue has thousands of queued messages going nowhere
- Your sending IP has been blacklisted (you can check at MXToolbox)
- Your mail server is running unusually hot — high CPU or disk usage
- You're receiving abuse complaints from ISPs
What to do in the first hour
Block outbound SMTP (port 25) at the firewall level right now. Yes, this stops your legitimate email too — but it also stops the bleeding. A temporary disruption is far less damaging than thousands more spam messages going out under your domain.
Check how many messages are queued. If it's hundreds or thousands of messages to domains you don't recognize, your server is open-relaying. Flush the queue and document what was in it — you'll need this for the post-mortem.
If an account was compromised via stolen credentials, changing passwords kills the attacker's access. Do every account — not just the ones you think were affected. Force password resets for all users.
Open relay is the most common cause of a hacked mail server. Your server should only accept and forward mail for your own domains. If it's configured to relay for anyone, that's the hole. This needs to be closed before you restore mail service.
Look at your mail server's auth logs for the last 48–72 hours. Look for logins from unexpected IP addresses, repeated failed authentication attempts followed by a success, or accounts that sent an abnormally high volume of email.
Check MXToolbox or MultiRBL to see which blacklists your IP has been added to. Most allow you to submit a removal request — but only do this after you've fixed the underlying problem, or you'll just get blacklisted again immediately.
After the fire is out — the full recovery
Stopping the immediate bleed is step one. The full recovery takes longer and involves:
- A thorough audit of every account, rule, and forwarding address on the server
- Installing or reviewing intrusion detection
- Setting up fail2ban or similar to block brute-force login attempts
- Reviewing and locking down server firewall rules
- Rebuilding your sender reputation over 2–4 weeks of clean sending
- Implementing proper SPF, DKIM, and DMARC if you don't have them
How did this happen?
The most common causes we see:
Open relay misconfiguration
Your server was configured to accept and forward email from anyone on the internet — not just your own domains. Spammers scan for open relays constantly and exploit them within hours of discovery.
Stolen credentials
A user's email password was weak, reused from another breach, or obtained via phishing. The attacker used those credentials to authenticate and send spam as a legitimate user on your server.
Outdated mail server software
Unpatched Postfix, Exim, or other mail server software with known vulnerabilities. Exim in particular has had critical remote execution vulnerabilities that were actively exploited.
Compromised web application
If your mail server also hosts a website or web application, a vulnerability in that application (a WordPress plugin, for example) can give attackers a foothold on the whole server.
What about my domain reputation?
This is the part that takes the most time to recover. Major ISPs and spam filter networks track sending behavior over time. Even after you've fixed the technical problem, you may find your emails still landing in spam for weeks.
The recovery strategy involves sending clean, low-volume, authenticated email consistently over several weeks while monitoring your reputation scores. There's no shortcut — but it does recover.
Don't restore full email volume immediately after fixing the issue. Start small — send to engaged contacts who you know will open your emails — and ramp up over 2–3 weeks. This signals to mail providers that you're a legitimate sender again.
The bottom line
A compromised mail server is serious, but it's recoverable. The key is moving fast in the first hour to stop the damage, then doing a thorough cleanup before restoring service. Skipping steps in the cleanup means getting hacked again — usually within days.
If you're in the middle of this right now and need someone who's handled it before, we're available. Include "EMERGENCY" in the subject line and we'll prioritize your message.
Server compromised right now?
Email us with "EMERGENCY" in the subject line. We respond to server emergencies fast.
Contact Emergency Support