Signs Your Self-Hosted Mail Server Is Already Compromised

The signs most people miss

A compromised server rarely announces itself. What you're looking for are patterns that are easy to dismiss as normal behaviour — until you know what they actually mean.

Unexpected bounce messages

If you're receiving delivery failure notices for emails you never sent, your server is almost certainly being used to send spam. Attackers relay mail through compromised servers and move on — the bounces come back to you because your domain is in the From field.

Sudden deliverability problems

If clients start mentioning that your emails are going to spam, or you notice replies dropping off, check your IP against major blacklists before assuming it's a content issue. A server that's been sending spam will end up on Spamhaus, Barracuda, or similar lists — and that affects every email you send, not just the ones attackers are generating.

Authentication failures in your logs

Mail server logs will show repeated failed login attempts against your IMAP or SMTP service. Some level of this is normal — it's the background noise of the internet. What's not normal is a sudden spike, or successful authentications from IP addresses or locations that don't match your users.

Unusual outbound mail volume

If your server is suddenly sending thousands of messages a day when your business typically sends dozens, something is wrong. This is often only visible in the logs — your users won't see it because the mail isn't going through their clients.

Disk space disappearing

A server being used for spam can fill up disk space quickly — mail queues, logs, and stored messages all grow fast under load. If your server's disk usage is climbing without a clear explanation, it's worth investigating.

What to do if you see these signs

Don't just restart the server and hope it clears up. A compromised server needs to be audited — logs reviewed, authentication credentials rotated, software updated, and the attack vector identified and closed. Restarting without doing this work just means the same thing happens again.

Getting off a blacklist also requires more than cleaning up the server. Most major blacklists require a delisting request and a waiting period, and some will flag your IP for extended monitoring even after removal.