I just spent an hour figuring out whether our website had been hacked into sending Viagra spam, so the least I can do is to share what I learned.
The panic started when Kyeli and I received 30 emails in the space of 5 minutes, all of them things like “Out of Office autoreply” or “Delivery failure notification”, you know, like what you often get when you send email to a nonexistent email address or someone who’s busy or on vacation. But the emails were all sent to random email addresses like
[email protected], apparently as autoresponses to emails from random email addresses like
Kyeli panicked and thought we had been hacked. I told her not to worry, that it was just email spoofing, that it happens all the time, and that there’s nothing you can do about it.
But how could I be sure? If our site was actually hacked, we could get deindexed, and it could totally hose our website and our business. So it deserved some investigation. Here’s what I found.
1. Don’t panic. 99% of the time it’s just spoofing, not hacking.
2. Check your sendmail logs.
Sendmail logs are in different places depending on your web hosting, so I can’t tell you where they are or how to find them on your hosting service. But if you’re hosted with a company that doesn’t let you access them directly, you can ask them to check the logs for you.
3. Check the mail headers of the emails sent “from you”.
Look for the Received header and see if it’s from your hosting company (e.g.
something.lunarpages.com) or from some random place, in my example
vorlagen.domain.invalid (h220.127.116.11.dynamic.ip.windstream.net [18.104.22.168]).
This will only work if some of the autoresponders are kind enough to include headers when they bounce back the email to you.