Well, actually placing my domain name as the "return address" for the spam that they are sending out. The result, all of the undelivarables are returned to me, even though I didn't send it out in the first place!

Run a "DNS Report" for your domain. Take a look at the MX section and see if there are any warning and/or failures there. Let us know what you find.

It sounds like SMTP Relay is on and if so, you'll need to get that corrected as soon as possible. You have a "catchall" mailbox set up, don't you?

It sounds like SMTP Relay is on

Nope, it sounds like it's just what he said - somebody is using his domain name in the "From:" and/or "Return-Path" headers of their spam.

This is one of the fatal flaws of today's Internet design. Anybody can put anything they want in their return address, and there's nothing that the legitimate owner of the domain name being used can do to stop it.

I had this happen to me a few years ago. Luckily, the perpetrator was in the U.S. and was advertising a "900" phone number (pay-per minute service - in this case, "live girls").

Somebody was able to track down the operator of the 900 number, which was leased. The operator was cooperative, demanded an end to the spamming, and I even recovered monetary damages (which was purported to be the leasees entire profit.)

Good luck! If this is being done off-shore, you're not likely to be as lucky. If you have a way of contacting them, though, I would. They probably aren't TRYING to damage you - they just don't want the return mail, and probably didn't even bother to check if the domain exists or not.

Have you looked into setting up SPF records for your domain?

Although SPF records are useful (I have them and I recommend that all webmasters set them up) SPF records will NOT prevent most cases of this type of abuse of your domain name.

SPF records can prevent forgery of your domain name within the "envelope sender" address. ("can", because not all receiving SMTP servers use SPF to block email forgeries.)

SPF can NOT prevent forgery of header addresses.

So, what's the difference? A physical envelope represents a good analogy. The "return" addresse we are most familiar with as email users (From:) appear on the "letter" itself, INSIDE THE ENVELOPE. The "envelope sender" appears OUTSIDE the envelope, and ususally isn't seen by users. (Our email software conveniently opens the envelope for us...)

The address that SPF protects is the one that appears in the "MAIL FROM" SMTP message. (It is "usually" preserved by email software in the "Return-Path" header - so, my previous post was not completely accurate.)

Mail agents (e.g. your email client software) generally send replies preferably to the "Reply-To" address (if present) or to the "From:" address if the "Reply-To:" address is not present. Reply-To: is a "header address", as is "From:".

Therefore, SPF cannot help prevent the owner of a domain forged as return addresses from receiving unwanted replies to the forged mail.

Unfortunately, there is no widely-adopted protection mechenism that addresses forgery of header addresses.

What SPF *does* do for you is to help prevent you from being *blamed* for email that forges your return address - at least by knowledgable computer forensic experts.