How do compromised ESP accounts cause widespread spam?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine someone steals your ESP login credentials overnight. By 6am, they've already sent 400,000 spam emails. Your account. Your sending domain. Your reputation on the line.
Here's why account takeovers hit so hard in the ESP world specifically. Your account already has a warm sending reputation. It passes SPF and DKIM checks because it's using your real authentication. Spam filters that would instantly block a brand-new unknown sender give it a free pass, at least initially. The attacker is basically borrowing your years of good behavior.
ESPs are built for scale, so that's exactly what attackers use them for. A single compromised account can send millions of messages in a few hours. That's not an exaggeration. The ESP's infrastructure is designed to handle huge volumes quickly, and there's no mechanism that immediately flags a sudden sending spike as malicious until enough complaints pile up.
How long before detection? It varies, but often faster than you'd hope and slower than you'd like. Automated abuse detection at most ESPs can catch unusual volume spikes within hours. Complaint-based detection depends on how quickly recipients hit "spam." In practice, a compromised account can send millions of emails before the account is suspended. By the time you get that suspension email, the damage is already done.
What damage looks like after the fact:
- Your sending domain lands on blocklists like Spamhaus, sometimes within hours of the attack
- Your IP reputation (or your ESP's shared IP reputation) drops sharply
- Your legitimate emails start landing in spam folders, even to subscribers who love you
- The ESP may suspend your account entirely, cutting off your ability to send anything at all
- Rebuilding reputation after a compromise can take weeks to months
There's also a secondary hit that's easy to miss. Your subscriber list may have been exported during the attack. Those contacts can end up in phishing campaigns or sold to spammers, which creates a longer trust problem beyond just your own deliverability.
The cruel irony is that the better your sender reputation was before the attack, the more useful your account is to attackers. A well-warmed domain on a reputable ESP passes filters that a fresh domain never could. (Which is exactly why attackers target active senders, not dormant ones.)
Protecting against this starts with credential hygiene and watching for signs of unauthorized logins. Enable two-factor authentication on your ESP account. Check your sending logs regularly so a spike at 3am doesn't go unnoticed until Monday morning. If something looks off, use our free blocklist checker to see if your domain has been flagged already.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.