A number of site owners use a catch-all email setup. In that situation all emails for example.com are accepted, independent of the username part of the email address.

Someone may have used your domain name as part of a made-up email address when signing up to a service - that's certainly happened to me (I know because I contacted one site owner and got some of it stopped). That's why many services require the email address to be validated.

Kaled.

Once a domain name gets into the wild it seems normal to get spam at randomname@example.com

Until I ditched the account that had an automatic catch all I didn't know what was worse. The spam in the inbox or the bounces where the spammers had spoofed randomname@mydomain on the outbound messages (and no the originals weren't coming from my PC)

lammert- So true. We get hundreds of random OtherUsername@example.com attempts every day.

kaled- True, but I don't know of any that would use the user's own e-mail address as the from address.

piatkow- I know that also. But it's the SAME InvalidUserName@example.com over and over.

One trick done with a particular windows based email server is to create an empty distribution list. Add the spammed address to the list's email attribute (not as members in the list).

Instant black hole!

Black holes are part of the problem, not the solution. By adding a black hole to your mail server (or any post-reception spam filter), the spammer will conclude that the delivery completed successfully and will therefore continue to spam that email address. The only possible solution is to send a 5xx type error response when the spammer attempts delivery and reject the message. This can be accomplished by using a list of existing email addresses, rather than a catch-all configuration.

The only possible solution is to send a 5xx type error response when the spammer attempts delivery and reject the message.

And the bounce goes back to the spoofed "from" address while the spammer carries on spamming.

The whole email system is flawed by virtue of being 100% push. I've said it before but...

The only sensible way to ensure email can be authenticated is to push an "I'm here" message to the recipient who can then download the full message from the originating server. Would this stop spam entirely? Probably not, but address spoofing would be impossible and spam detection would be trivial. Email clients would have to work differently behind the scenes but there needn't be much difference as far as the user is concerned. Services like Hotmail could continue without users being able to see any difference whatsoever.

Kaled.

And the bounce goes back to the spoofed "from" address while the spammer carries on spamming.

No. A 5xx error response is not a bounce. It is sent directly to the sending SMTP server after the headers are received but before the message content is uploaded to the receiving mailserver. A 5xx error message goes straight to the spammer, not to the spoofed email address.

I feel for you mate.

We also experienced the same thing. We are receiving spam emails everyday and it's so annoying. We emailed the person handling our server email to fix this problem.