Why would someone send Spam?
No one mail filtering service is 100% accurate and as sending emails are effectively free, they use mass numbers to their advantage. Send 10, 000 emails for a total price of $0 and if just 10 users are “suckered” the spammers still make something out of it.
however if there is a will there is a way. Spammers use large botnets with tens of thousands of computers all of which have a different public IP address, so IP based blocking can prove to be ineffective in this manner.
How do they get your email account details?
Stolen email account credentials
Generating mail via web scripts
obtaining the passwords from a client’s computer. This is typically done by infecting the client’s computer with a virus or malware of some sorts. The passwords are either read directly from an email client such as Outlook or Thunderbird without a user knowing or by scraping the information while it is in transit (over the network) assuming the user is not using a secure encrypted protocol. So once a spammer has these details, they have all they need to send spam.
SMTP server: check
Most web hosts enforce a maximum number of emails/hour to prevent abusive nature. Spammers quickly learn what these limits are on a per sever/account level and will be careful not to reach these limits so they can gradually send spam at a continuous rate without interruption or detection.
Use complex passwords, and we really mean it! https://mxtoolbox.com/PasswordGenerator is an easy way to generate a good password.
Don’t use the same password across all email accounts (no matter how complex)
Use SSL/TLS when communicating with your mail server if they support it. If they don’t ask why not!
Ensure you have reliable antivirus/malware protection on your computers. Viruses don’t just come in via email, you can download them as well so make sure you are careful on the web!
Change your password regularly. This can actually help quite a bit!
Unfortunately many site owners running WordPress rarely patch the core software and even less frequently the themes or plugins for fear that it will “break” the website. This essentially gives the attackers three playing fields to work with. If the content management system, all themes, and plugins are all patched the spammers will revert to simply attempting to brute force the administrator login to the website so they can fully control the content and upload malicious scripts. CloudFlare (https://www.cloudflare.com) and Akamai (http://www.akamai.com/) have published multiple articles detailing the scale of these attacks, and it is safe to say they are still ongoing and will continue into the foreseeable future.
One of the big issues with sending spam via a web script is that it is somewhat difficult to limit. cPanel and other popular control panels have limited capabilities to throttle a number of times a user can call the send mail command for example. This means the previous limits of 60 emails/hour do not come into play here, so theoretically a user can send 1000 emails/minute and never be throttled by the mail server. Most of the methods previously mentioned such as changing the envelope sender on a regular basis also come into play here. As mail generated via a web script can be crafted in virtually any manner, the sender, recipient, subject etc can all be fully customised with little effort. As a result of this, it is often the job of an external mail filtering service to prevent spam being sent out, however even a small number of servers (e.g. 20) can generate and an astronomical amount of spam in a very short space of time, quickly overloading spam filtering appliances.
You can do your part to prevent abusive nature by following these key points:
Keep your website software up to date (If possible, schedule automatic upgrades), you can easily add this through Softaculous in advanced settings when installing WordPress or you can use something like Wordfence to alert you when a theme or plugin is outdated.
Keep all plugins and themes up to date
Protect your passwords to FTP and email accounts, and change them regularly
Scan your website for malicious content (the plugin Wordfence (which is free) for WordPress is quite effective in this area)
If you must share your passwords with web developers, change them before and after they are given access.
When communicating with your email/web host, try to use secure protocols for SMTP/POP/IMAP and FTP (SFTP)
Use strong passwords!
NEVER use the same passwords across multiple accounts
Consider offloading your website to a cloud-based WAF (Web Application Firewall) such as CloudFlare
Ensure your websites files have correct ownership and modification properties set (never make a directory or file world writable!)
Remove unnecessary files from your website (That simple contact form you wrote in 2002 isn’t secure anymore, get rid of it if you don’t need it!)
If you do need said contact form, ensure it has a verification process or catchpa in place to prevent abuse.
Report spam to network operators, particularly in Australia. Most network operators in Australia are quite responsive and will shut down spam at the source when notified.
If you have a VDS/VPS or dedicated server of some sort, see if your provider can offer some level of email filtering. If they can’t, there are many cloud-based filtering services available, just search!
Together (Hosting providers and website operators) can work together to limit the ability of spammers, it just makes the world a happier place.