Since about 2 July 2003, various of my email addresses have been the targets of a "Joe job" by some anonymous, cowardly criminal(s) who remain unknown, but whose actions have been reported to the FBI.
Here is the "Joe job" material I moved to this new "Joe Job" Report from the older Dotcomavenue Report.
| What is a "Joe job?" What are the effects of a "Joe job?" What precipitated the "Joe job" against me? What email addresses were attacked? Who is performing this "Joe job?" How many people is the vandal spamming? Where does the attack email come from? What does the fake spam look like in my case? How many others have been "Joe jobbed?" How have my ISP and registrar behaved? What solutions might there be? |
Latest Updates:19 August 2003 - New Joe Job Attack Features Random Character Subject Line- See the fake spam. |
"Joe job" is a term used to describe the act of forging bulk email headers so that the email seems to the recipient to to have originated with the victim.
Some people use the term "Joe job" to describe any such falsification of email origins, such as is frequently the case with spam that actually promotes some product or service.
Other people use the term "Joe job" to describe such falsification only when it is done as part of a deliberate attack upon an individual's or organization's email service, internet service, domain registration service, business and reputation.
For alternate explanations of the Joe job please see Everything2, TechTV, Online Tonight, SpamFAQ, COTSE, and SpamCop. There are others.
The effects of a Joe job attack are several:
First, there is a huge flood of messages that overflows the victim's
mailboxes. These flood messages are primarily bounce messages due to undeliverable email to closed
email accounts, spam-filters advising that the receiving email account does not accept
spam, auto-responses from people away from their offices, auto-responses from people using challenge-response spam filtering, remove/unsubscribe
requests, and some direct emails from very irate people.
Second, the victim's email *domain* is blocked by some internet service providers. In the world of spam filters, it seems there are those like SpamCop and Spam Assassin, who apparently only block email based on message content and on the IP address of the machine that injected it into the internet. The IP address is, as you probably already know, different from the domain mentioned above. Filtering on IP addresses is, in my opinion, the more responsible approach because of the ease with which an attacker (or any spammer for that matter) can and frequently does forge false return addresses to email headers. That certain large internet service providers block email by *domain* means that ALL email bearing the victim's return address, both legitimate and illegitimate (bearing a forged return address) is blocked.
Heaven forbid that a victim should be a small business trying to maintain contact with customers via email. An attack such as this could have severe consequences for the victim because his legitimate business email could be blocked by the improper use of domain-based spam filtering.
Third, the attack causes complaints to the victim's internet service provider's and domain registrar's Abuse desks, potentially causing the victim's service to be cut off due to apparent violation of the terms of service, which generally prohibit spamming.
Fourth, the victim winds up getting MUCH more spam, and much more exposure to email-borne malware like viruses and hostile scripts in HTML-formatted email.
Fifth, a great deal of ill-will is generated against the victim among the thousands or millions of recipients of the false, forged, apparent-spam, attack message.
There may be other results of the "Joe job" that I've forgotten or not considered..
Without the slightest shadow of a doubt, this report is what torments my attacker(s). Perhaps the fact that my report is the first hit in a Google search of the subject's domain name (the subject of the report is the second hit) is particularly irksome to my vandal.
Caveat: It is important to note that I have no way of knowing whether the "Joe job" artist has any affiliation with the subject of my report. "Plausible deniability" is established by the possibility that any vandal could have taken offense at my "do-gooding," and then set out to get me in a spirit of simple malice.
I have no idea who is committing this crime.
I have no way of knowing the size of the vandal's mailing list, but I guess it must be large. That's based on the peak rate of bounce message arrivals, which I estimated to reach as high as 100,000 messages per day per account.
steve@stevesturgill.com
dotcomavenuevictim@cox.net
dotcomavenuevictim2@cox.net
(This one
was attacked within about four hours of it's having been posted to the
report.)
slsturgi3@cox.net
In my particular case, the attack appears to be launched by someone who has access to a network of computers possibly compromised by trojan relay "bot" malware. Many of the bounce messages contain the headers on the spam that was sent. Checking a small random sample of these headers shows that most of the messages originate in China, Taiwan, Korea, Brazil and a few other places. This does not yield any information, though, on the whereabouts of the vandal using this trojan network to relay the fake spam.
The attack is in the form of messages to very large emailing lists, which messages appear to be spam for a service I am said to offer. The fake spams bear my email addresses (some also bear my former home phone number). Here are a couple of early examples. I'll add some more.
Who knows? I had never heard of the "Joe job" before having it happen to me. Apparently the first "Joe job" happened to Joe Doll, which is how the "Joe job" came to be named.
Since then it seems the practice has taken off. I gather than many prominent people have been "Joe jobbed," along with many anti-spam activists, people reporting spam to spam activists, and individuals like myself who write reports like the one I linked above.
Here is a short list of a few other "Joe jobs."
Cox Communications and Register.com have been pretty decent so far. Both have received complaints against me, and have open tickets on me. Cox clearly understands that these "Joe jobs" occur, and also is fully aware of the existence of trojan-compromised computers acting as spam relays (which is the reason Cox has blocked port 25 system-wide). I missed Register.com's first Abuse notice, what with the deluge of bounce messages I was dealing with. I received a second notice telling me they were taking no action at this time, but asking me to respond with any explanation and evidence I had, which I did.
I do not expect to be shut down by either of my service providers, though I expect to deal with other fallout from these "Joe jobs" for some time to come.
There are a number of proposed standards that would probably help.
Source
Authentication
Trusted Email Open Standard
SMTP+SPF
DNSSEC
"Perfect is the enemy of good enough." This article it advocating DNSSEC, but the link phrase applies across the board. It's time to set some standards to rein in jungle anonymity. Anonymity and privacy are two different things; loss of the former does not necessarily lead to loss of the latter, and would, in fact, make the internet a more useful, less dangerous, much more spam-free "place."
Unfortunately, it seems to me that a technical solution will require legislation to move it forward. DNSSEC, for instance, has gone nowhere in ten years.
Some people think new legislation is exactly the wrong approach, and I agree if the legislation imposes specific technical solutions. What I think will work is legislation to impose licensing requirements on providers of internet and internet backbone services. These licensing requirements would be performance-based, and would leave it up to the industry to devise specific methods. Legislation might mandate source authentication (eliminate source anonymity), minimum security standards (header standards policing, malware filtering).
While I am not technically adept enough to know what the actual technical solution should be, I am convinced that something needs to be done, and that something CAN be done if the political will can be brought to bear. If not, email is on a fast path to uselessness.
Please write to your Senators and Representatives, if you are in the United States, or to your own government's officials if elsewhere. Something has to be done.
If you have a digital signature and want to write, I'll be at joejob@cox.net. For now I'm attempting to distinguish legitimate from illegitimate email based on whether it is digitally signed or not. Then again, if this site gets "Joe jobbed" you might need to be persistent.
If you don't have a digital signature, you can get one at no charge from Thawte. It's probably good to learn something about digital signatures anyway. Security can be a hassle, and the only certainty is that you'll never get it all, but it pays to try to understand at least a little. In fact, that's the bright side of this sorry story: I'm learning a little something.
as of 17 August 2003