azurelunatic: Warning: participating in #dw may result in blacking out and discovering yourself as head of a project team. (#dw warning: department head)
Azure Jane Lunatic (Azz - bolt of blue - infovore) ([personal profile] azurelunatic) wrote in [site community profile] dw_antispam2010-02-24 15:16

Joe Jobs and You: how innocent bystanders get dragged into spam attacks

It's time for some informative digressions on Joe Jobbing.

What are Joe Jobs?

Rather than being Steve's less-famous younger brother, a Joe Job is where some spammer, scammer, or other lowlife forges a third party's information when carrying out an attack.

This is to be distinguished from the sort of attack where the lowlife cracks or otherwise gains access to the third party's property in order to carry out an attack.

From Wikipedia:
A joe job is a spamming technique that sends out unsolicited e-mails using spoofed sender data. Early joe jobs aimed at tarnishing the reputation of the apparent sender or inducing the recipients to take action against him (see also e-mail spoofing), but they are now typically used by commercial spammers to conceal the true origin of their messages.

The name "joe job" originated from such a spam attack on Joe Doll, webmaster of Joe's Cyberpost. One user's joes.com account was removed due to advertising through spam. In retaliation, the user sent another spam with the "reply-to" headers forged to make it appear to be from Joe Doll. Besides prompting angry replies, it also caused joes.com to fall prey to denial-of-service attacks that took the web site down temporarily.

Some e-mail joe jobs are acts of revenge like the original, whether by individuals or by organizations that also use spam for other purposes. Spammers use the technique to cycle through domains and try get around spam filters and blocks.

Joe-jobbers could also be businesses trying to defame a competitor or a spammer trying to harm the reputation of an anti-spam group or filtering service. Joe job attacks in other media are often motivated politically or through personal enmity.


The parties in this scenario are the Attacker, Joe, and the Recipient.

Joe Doll on the Joe Job
Steve's JoeJob Page (warning: Comic Sans)
Fighting the email Joe Job on your personal domain: SPF (Sender Policy Framework)

The Joe Job in Spam

In spam, the joe job is generally found in e-mail, where the spammer (Attacker)forges their e-mail headers to appear that it is emitting from poor Joe's email address or domain.

If you ever suddenly found yourself getting a ton of returned mail that was spam that you never sent, and it was impossible that this could have been sent from your computer (if your security is airtight, or you have never set up an email client for that address and your email account is secure), or you are suddenly getting return mail to your catchall address for email addresses that don't even exist on your domain, you have probably been poor Joe in a joe job.

It's hard for the layman recipient of spam to tell what spam has been sent to you as the result of a joe job, and what is not. Sometimes it becomes obvious from looking at detailed email headers, if you happen to know what, say, hotmail's typical headers happen to look like, and you look at the email headers of the spam that claims to have been sent by Hotmail, and the headers show that while it claims to be a Hotmail address, the actual source is no more Hotmail than an elephant that's been painted blue* is a bikeshed.

Occasionally, an irate spam-recipient will contact Joe saying that they got spam coming from Joe, and this is just not on. Joe is either confused, if Joe managed to miss the barrage of incoming bouncebacks, or in the un-enviable position of explaining to the recipient what a joe job is, and hoping the recipient believes the truth.

Victims of a joe job may also have to deal with complaints from their hosting or email provider, registrar, and anti-spam organizations.

Who is the victim in a Joe Job? How are they hurt?

There are two victims.

The recipient's disadvantages are obvious: spam that they have to battle and clear away and block. (There are obviously more than one individual recipient, but recipients as a class count as one victim.)

Joe has incoming spam too, in the form of email bouncebacks (if this is an email joe job). Joe's reputation also suffers, because Joe has been associated with a spam attack.

Who benefits from a Joe Job? How do they benefit?

The attackers benefit from the joe job.

Very often in modern times, an email spam campaign is for the purpose of driving recipients to a website.
Sometimes this is the spammer's own website.
Sometimes this is a phishing website, where the spammer hopes to gain your valuable login information. In these cases, it may pose as a site you think you know.
Sometimes the site contains malware, to attempt to infect your computer so it can join a zombie botnet.
Sometimes, it's Joe's website, and getting you pissed off at Joe was the point of the attack.

I'm a Dreamwidth user. Am I likely to be the victim of a Joe job?

If you have a paid account and the paid account forwarding email address, it may be forged as a part of a spam campaign, making you (and, by extension, Dreamwidth) Joe. This form of joe job is rampant on sites such as LiveJournal.

This address may also be the recipient of spam, including possible spam sent as part of a joe job.

Any forum that allows anonymous comments or any other form of anonymous posting, or allows un-authenticated user accounts (such as a form where you enter your name and email address, but does not confirm that you own the email address) is vulnerable to someone simply posting a comment signed with someone else's name. If you have anonymous comments enabled, or frequent other journals that have anonymous comments enabled, this can be used against you.

If someone wishing to cause trouble for Dreamwidth emits spam that appears to benefit or otherwise implicate Dreamwidth, the whole site will suffer.

How can I help?

If you own your own domain, set a SPF record up for your domain. This will reduce the likelihood that your domain can be used against you in a Joe Job, and if someone does use it, will reduce the distance the emails can be spread.

If you manage a mail server, configure it to respect SPF records. This will reduce the amount of spam that your email users receive, and will reduce the bad bouncebacks your mail server emits to Joe.

If you receive spam, always consider the possibility that the apparent sender may be the victim of a Joe Job.



* [personal profile] exor674 points out that the bikeshed should be red.
return
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2010-02-24 23:35 (UTC)(link)
(ps: the wikipedia link goes to this entry)