Never had I experienced spoofed email bounce like I did this past weekend. It started on Friday evening, and I received about 7000 bounced email that were spoofed using my quantumwave.com domain.
The problem was, the hosting company did not have SPF (Sender Policy Framework) set up, and I had a catch-all email account that accepted *@quantumwave.com. All the spoofed email were sent using some random account names selling illegitimate software or other goods.
I contacted the hosting company and they suggested that I turn off my catch-all email account and activate SPF on the email server.
One little problem with the catch-all account: Whenever I register email at a website, I usually use their domain name as my email account (e.g. at somecompany.com I’d use firstname.lastname@example.org as my registration email). This made it easy for me to filter email, track the source of spam and know which company distributes email to third parties (I was surprised by a few big name corporations doing that).
Anyhow, before I could terminate the catch-all account, I had to set up all previously known email aliases I registered at every website I used. The last count is 330 aliases; so it took some time to track all those down and add them to the server. After that was done, I terminated the catch-all account and it was back to normal.
I’m sure I’ve missed some email aliases and those accounts will no longer work (senders will get notification that those email accounts do not exist). A rough estimate of the time I spent on this madness is approximately 5 hours (racing with/deleting incoming email, adding aliases, setting up server-side filters).
One important piece of information I learned: Activate SPF on the email server.