Spammers and their hosts, by their very nature (hostile, abusive, and illegal), aren't likely to provide valid contact information, nor are they likely to comply with requests for assistance. So it's probably a waste of time to attempt contacting the criminals directly and asking them please to be nice.

Your domain is being used as the fake "From" address. The "bounces" are not your fault, nor are they the fault of the unhappy recipients of the spoofed spam. I would suggest that you set your "default" address to ":blackhole:", so the "bounce" messages addressed to invalid "From" addresses simply disappear.

I'm not conversant on how, exactly, SPF is supposed to work, so I can't help you there.

Eliz.

there isn't really much you can do I had the same happen to me for a while and it was on a personal address, really sucked

it went away after a while, I spoke to my own ISP to alert them to the fact that this was happening so they didn't blame me and try to shut me off.

It happens - anyone can send an e-mail that looks like it's from anyone else... It's just the way SMTP works. As a result, spammers can use your e-mail address, or any e-mail address ending in your domain, as the From whenever they like. No hosting company will ever hold this against you. They'd need to look at the contents of the spam and see if it directs people to your site. If it does - then your in trouble, but that's not the case here 'cause you're not the one sending the spam.

In addition to what others have added, I'd suggest setting up SPF for your domain (if you haven't already). SPF tells mail servers what the legitimate mail servers are for your domain. Anything not going through one of the designated servers should be treated as probable spam.

It's important when you set up SPF to lock down the servers and not leave it open to other servers (which is possible under the spec). This means, however, that when you send something from a place like craigslist it may very well be seen as spam unless they also include a "sender" header.

You can read about SPF at [openspf.org...]

SPF only helps so much since spammers often set up SPF records for the domains they send from, but SPF does help a bit. IMHO, if you have SPF set up for your domain spammers will be less likely to use your domain as the from address since the mail servers that have implemented SPF-based checks will be likely to disgard the message. Many of the big hosts do these checks - AOL, HotMail, two name two big ones.

SPF is set up on the DNS level. To see if SPF is set up for your domain change example.com to your domain in the following URL:
[dnsreport.com...]

That will show you a whole bunch of things about how your DNS record is set up. You'll probably want to follow up on anything that shows up red on the report. If you don't control your DNS settings you'll need to work with your hosting service to get SPF setup.

Yep, I had this happen last week. Came back from a short holiday to find all hell has broken lose and the host has turned off the website for the domain. *sigh* Have to wait for the weekend to be over to hear back from them, I guess. &^$%& spammers!

I guess SPF was configured for my domain but it was wide open. I ratcheted it down to my domain and the spam stopped. Either their ISP finally got around to shutting them down or the SPF worked. Thanks guys.