Compromised Client - Abused User Account
search cancel

Compromised Client - Abused User Account


Article ID: 162232


Updated On:




You have received email notification from Symantec Email an individual end user account is sending spam through Symantec Email or a user is receiving a bounceback when trying to send outbound mail that indicates they are on the badmailfrom list. 

553 sorry, your envelope sender is in my badmailfrom list. Please visit for more details about this error message and instructions to resolve this issue.(#5.7.1)


Full investigation needs to be performed to ascertain how this user account became compromised. It is usually a case that the user replied to an email which asked for their username and password. We would advise you check with the user in question to see if this is the case and, if it was, please send us the email which was replied to so we can add detection for it.


Due to the reasons outlined we have had to put a block on this user from sending email through Before we can re-enable this user account we will require the following information. Please copy and paste this list along with the answers into your technical support case.

1) Was a detailed virus scan of all machines on your network completed? 
2) Were any machines found to be infected? 
3) If any machines were infected, how have they been cleared of infection? 
4) Did the user in question respond to an email with their user credentials? 
5) Did they follow a link requesting their user credentials? 
6) If you have answered 'no' to questions 2, 3, 4 and 5, please confirm how the user was compromised. 
7) Has the password for this user been changed, and is this a strong password which could not be easily guessed?
8) Please confirm the user cannot re-use any of their previously used passwords. 
9) Has the user been educated to not reply to emails asking for usernames and passwords? 
10) Have any other users responded to similar emails? 
11) If other users have responded to similar mails, what action is being taken to prevent further compromised accounts?
12) Please provide a copy of the phishing mail received by the user so we can add detection for it. 
13) Have you read our best practice guidelines located at