If your inbox is suddenly flooded with dozens or hundreds of "Mail delivery failed: returning message to sender" error emails — and you didn't send those messages — your email account has most likely been hacked. An attacker has gained access to your email credentials and is using your account to send out large volumes of spam or phishing emails to random recipients around the world.
When many of those spam emails fail to deliver (because the recipient addresses don't exist or the receiving server rejects them), the mail server generates a bounce-back notification for each failed delivery — and those all come back to your inbox.
Symptoms
You notice one or more of the following:
- Your inbox is flooded with bounce-back emails you didn't trigger, with subjects like:
Mail delivery failed: returning message to sender
Undelivered Mail Returned to Sender
Delivery Status Notification (Failure)
- The bounce-back messages reference recipient addresses you don't recognise
- Your Sent folder contains emails you never wrote — often spam, phishing, or scam messages
- You receive hundreds of bounce-backs in a short period (minutes to hours)
- Your email account may be placed on an outgoing mail hold by the server (see Fix: Outgoing Mail Hold)
- Other people report receiving spam from your email address
Why This Happens
When a hacker obtains your email password (through phishing, malware, a data breach, or a weak password), they log in to your email account and use it to blast out thousands of spam emails. Since many of the target addresses are invalid or no longer active, the receiving mail servers reject them and send a failure notification back to the sender — which is your email.
This creates a chain reaction:
- Hacker compromises your email password
- Hacker sends thousands of spam/phishing emails from your account
- Many emails fail to deliver (invalid addresses, spam filters, full mailboxes)
- Bounce-back notifications flood your inbox — one for every failed delivery
- Your server may suspend your outgoing mail due to excessive sending volume
- Your domain reputation is damaged — your server's IP could be blacklisted
Act immediately. The longer a compromised account remains active, the more damage is done to your email reputation and your server's IP reputation, which can affect email delivery for all domains on the server.
Step 1: Change Your Email Password Immediately
This is the most urgent step — it locks the attacker out of your account.
- Log in to cPanel at
yourdomain.com/cpanel(or via the Cynet client area at manage.cynet.com.my) - Go to the Email section and click Email Accounts
- Find the affected email account and click Manage
- Scroll to the Security section
- Enter a new, strong password — use the Password Generator for maximum security
- Click Update Email Settings
Password Requirements
Your new password should be:
- At least 12 characters long
- A mix of uppercase letters, lowercase letters, numbers, and symbols
- Not reused from any other account or service
- Not based on dictionary words, your name, domain, or easily guessable information
Tip: Use the cPanel password generator to create a strong random password, then store it in a password manager (such as Bitwarden or 1Password) rather than writing it down or saving it in a document.
Step 2: Scan Your Computer for Viruses and Malware
Your email password may have been stolen by malware, a keylogger, or spyware installed on your computer. Even after changing your password, the attacker could steal the new one if your PC is still infected.
Run a full system scan using your antivirus software. If you don't have antivirus installed, use one of the following free tools:
| Tool | Platform | Download |
|---|---|---|
| Windows Security (Defender) | Windows 10/11 | Built-in — open Windows Security → Virus & threat protection → Full scan |
| Malwarebytes | Windows / Mac | malwarebytes.com |
How to Run a Full Scan with Windows Security
- Press Windows + I to open Settings
- Go to Privacy & Security → Windows Security → Virus & threat protection
- Click Scan options
- Select Full scan, then click Scan now
- Wait for the scan to complete and follow any prompts to remove detected threats
Important: Run a full scan, not a quick scan. A quick scan only checks common locations and may miss deeply embedded malware.
Step 3: Check for Unauthorised Changes in cPanel
Hackers often make additional changes to maintain access or hide their activity. Check the following in cPanel:
Forwarders
Go to cPanel → Forwarders. Look for any forwarding rules you didn't create. Attackers commonly add a silent forwarder to copy all your incoming email to their own address.
Action: Delete any forwarding rules you don't recognise.
Autoresponders
Go to cPanel → Autoresponders. Disable or remove any autoresponders you didn't set up. Attackers sometimes set up autoresponders to send phishing links to everyone who emails you.
Action: Remove any autoresponders you don't recognise.
Email Filters
Go to cPanel → Email Filters → select the affected email account. Look for filter rules that:
- Auto-delete incoming emails (to hide evidence)
- Forward emails to unknown addresses
- Move emails to unusual folders
Email Signature
Log in to webmail at yourdomain.com/webmail and check your email signature. Attackers sometimes modify signatures to include phishing links or malicious URLs.
Action: Remove or reset your email signature if it has been tampered with.
Step 4: Review Sent Folder and Track Delivery
Check Your Sent Folder
Log in to webmail (yourdomain.com/webmail) and review your Sent folder. You may find spam or phishing emails the attacker sent from your account.
Action: Delete all spam messages from your Sent folder.
Check Track Delivery
In cPanel, go to Track Delivery to see a log of all recent outgoing emails from your account. This helps you understand the scale of the breach and identify what was sent.
Release Outgoing Mail Hold (If Applicable)
If your email has been placed on an outgoing mail hold due to exceeding sending limits, follow the guide: Fix: Outgoing Mail Hold
Step 5: Update Passwords on All Devices
After changing your email password, you must update the password on every device and application that uses this email account:
- Mobile phones (Mail app on iPhone/Android)
- Desktop email clients (Outlook, Thunderbird, Windows Mail)
- Tablets
- Webmail bookmarks (you'll need to log in again with the new password)
Step 6: Notify Cynet Support
Contact Cynet support to report the compromise. We can:
- Investigate the breach and determine how the attacker gained access
- Check for spam sent from your account and assess the damage
- Unblock your server IP if it was blacklisted due to the spam activity
- Release outgoing mail holds if applicable
- Monitor your account for further suspicious activity
How to Contact Support
- Support Ticket: Log in to manage.cynet.com.my → Open a Support Ticket
- Email: Send the details to our support team
| Information | Details |
|---|---|
| Affected email address | The email account that was compromised |
| When you noticed | Date and time you first saw the bounce-back emails |
| Sample bounce-back | Copy and paste one of the bounce-back error messages |
| Actions taken | Confirm you have changed your password and scanned for viruses |
How to Prevent This from Happening Again
Use Strong, Unique Passwords
- Use passwords with at least 12 characters combining uppercase, lowercase, numbers, and symbols
- Never reuse passwords across different accounts or services
- Use a password manager (Bitwarden, 1Password, LastPass) to generate and store complex passwords
Enable Two-Factor Authentication (2FA)
Add an extra layer of security so that even if your password is stolen, the attacker cannot log in without the second factor:
- Log in to cPanel
- Go to Security → Two-Factor Authentication
- Follow the setup instructions using an authenticator app (Google Authenticator, Microsoft Authenticator, or Authy)
Be Vigilant Against Phishing
Most email compromises start with a phishing email. Protect yourself:
- Never click links in emails asking you to verify, reactivate, or update your email account
- Never enter your password on a page you reached via an email link
- Always navigate directly to cPanel or webmail by typing the URL in your browser
- Read our guide: How to Identify and Handle Phishing Emails
Keep Your Software Updated
Outdated software is a common entry point for malware:
- Keep your operating system (Windows/macOS) updated with the latest security patches
- Keep your web browser updated to the latest version
- Keep your antivirus software updated and running with real-time protection enabled
- Update WordPress, plugins, and themes on your website to prevent compromise through your hosting account
Avoid Using Public or Unsecured Wi-Fi for Email
- Public Wi-Fi networks can be monitored by attackers to intercept your login credentials
- If you must use public Wi-Fi, use a VPN (Virtual Private Network) to encrypt your connection
Regularly Monitor Your Email Activity
- Periodically check your Sent folder for messages you didn't send
- Review cPanel → Track Delivery for unusual outgoing email patterns
- Watch for unexpected bounce-back emails — even a small number can be an early warning sign
Frequently Asked Questions
How did the hacker get my password?
Common methods include:
- Phishing emails — You clicked a link in a fake email and entered your password on a fraudulent page
- Malware or keylogger — Malicious software on your computer recorded your keystrokes
- Data breach — Your password was exposed in a breach on another website where you used the same password
- Weak password — Simple passwords (e.g.,
password123,company2024) can be guessed by automated tools
Will changing my password stop the bounce-back emails?
Changing your password immediately stops the attacker from sending new emails. However, you may continue to receive bounce-back emails for a short period (up to 24–48 hours) as previously queued messages finish bouncing back. The volume should decrease rapidly and stop completely within a day or two.
Can the hacker still access my email after I change the password?
No — once you change the password, all existing sessions are invalidated and the attacker is locked out. However, make sure to also check for forwarders the attacker may have set up (see Step 3), as these could continue sending copies of your incoming emails to the attacker.
Will this affect other email accounts on my domain?
If only one email account was compromised, your other email accounts are safe as long as they use different, strong passwords. However, excessive spam from one account can trigger an outgoing mail hold for the entire domain and may cause the server IP to be blacklisted, which affects delivery for all email accounts on the server.
My emails are now being rejected by Gmail/Hotmail. What do I do?
If your server's IP has been blacklisted due to the spam activity, contact Cynet support. We will submit delisting requests to the affected providers. See also: Fix: Email to Hotmail/Outlook Blocked