Sabotage! Coping With The Joe Job
By Dillian Thomas
If you run an ecommerce Website, you probably find that competition can be very steep, especially in certain markets. Maintaining a credible reputation in world full of fly-by-night scams, and earning the trust of your visitors, can be among the most difficult aspects of Web marketing. Add competitive sabotage into the mix, and you could be in for quite a fight to keep your good name.
One particular type of sabotage you may come across has been used historically as a revenge tactic against those who have spoken out about spam and hacking; it's called a "Joe Job". This form of sabotage is increasingly used as weapon in the online marketplace, and, if you're unfortunate, it may one day be aimed at your Website.
Many Webmasters who have never heard of a Joe Job are learning from bitter experience just how much of a threat it can be, especially as they are ill-prepared to deal with the fallout that follows this type of attack. To deal with the Joe Job effectively, it's necessary to understand the Joe Job before an attack.
The Joe Job – Case Studies The Joe Job is nothing new to the Internet; in fact, the phrase was coined by an attack at Joes.com in January of 1997. A spammer utilizing the free services of Joes.com had been barred from usage, and sought revenge against those responsible.
This spammer's revenge was felt across the Web via a flood of spoofed emails sent out in the name of Joes.com in attempt to enrage recipients into taking action against the company Website, which, indeed they did.
In June of 2003, my own site, BoxedArt.com, was hit by a tremendous Joe Job, as part of a series of varied attacks. These attacks were made not by a disgruntled spammer as with Joes.com, but represented a newer implementation of the Joe Job -- competitive sabotage. Over the course of our First Joe Job, we learned many tactics that helped us deal with this situation, and when the site was hit by a second Joe Job on October 28, 2003, we were able to cope with, and end the attack in a fraction of the time.
Before we discuss the measures we implemented to combat this second attack, I should explain why a Joe Job is such an efficient weapon.
The Joe Job in Detail
Essentially, a Joe Job is a very crude form of identity theft. Your email address is used as the "sender's address" in most cases, and your Website URL is advertised, but an especially diligent and vicious attacker may even use your name in the signature of the message. The email will not only be sent to thousands, hundreds of thousands, or millions of addresses, but it will be sent multiple times -- possibly dozens or hundreds -- to each recipient before the attack ends.
You will first become aware that your site is the victim of a Joe Job by receiving a few bounces when you check your email. Those few bounces will be followed by hundreds, or thousands, or millions of additional bounces, which will soon be followed by unsubscribe requests, followed by complaints, followed by threats of reporting your business to the authorities, followed by threats of bodily harm, followed by all out mail bombing (the automated sending of multiple emails, often with large attachments, for the purpose of filling up or flooding your email account). Soon after this, you may begin to receive nasty phone calls if you provide your phone number on your Website, or have your phone number listed with your domain registrar.
You might expect to be contacted by your Web host and domain registrar; however, you may never receive these emails if your email account is filled with large files and profane emails. You can then expect to have your services revoked, as your service providers will, no doubt, have very strict policies against spamming. If you are ever able to clear up the situation with your service providers, you will likely find it difficult to send email or gain the trust of the public again, as your domain name will be blacklisted by many major spam filtering companies. There may also be a felling of general distrust against your company for having "engaged in illegal and misleading spam tactics". You may even find yourself subject to a heavy fine for the massive amounts of spam that was sent in your name.
This is the kind of damage that can be accomplished by a Joe Job if it is allowed to run rampant and unchallenged. However, with the methods revealed here, you will stand a more than fair chance of turning a potentially devastating assault into a mere headache.
Step 1 - Inform and fight back!
When you first become aware that you may be the victim of a Joe Job, you should immediately acquire and read a copy of any material that's being mailed out in your name. This will be pretty simple, as your inbox will already be flooded with bounces of the message.
If the Joe Job is indeed an attack against your Website, your URL will be advertised within the message. As a result, some recipients will likely visit your Website, possibly to look around for a way to get off what they think is your mailing list, or to find a place to report the spam. These people are proactive types, so it's important that you display prominently on your Website information that explains the situation to them, as well as a message that asks for their help in ending the annoyance for you and them.
First, explain that you are not the sender of the spam, and that you do not have their name on a list. You should also publish an example of the message that's being distributed, and explain why you believe it is being sent, however, don't name names unless you are ready to take the issue to court. Once you've explained, and apologized for, the situation, solicit users' help. This will be your most valuable weapon, and may be the only way to put an end to the Joe Job!
While it is possible to forge the sender's email address in a spam, it is NOT possible to forge the source IP of the server that sent the email. This means that the Web server that's being exploited to send the email can be found and shut down. Many recipients of the spam will be quite motivated to end it any way possible, and if they're at your Website, they're already looking for a way to report the issue or take further action to end it. Below are the instructions you can provide them to do just that:
Start of instructions to provide on your Website for recipients to combat the Joe Job:
1. In your email program, enable viewing of Headers.
Example:
(Replace with the header below with one of the bounces you have received. The IP address has been replaced with xxx.xxx.xxx.xx in the example below.)
Received: from adsl-xxx-xx-xx.bgk.bellsouth.net [xx.xxx.xxx.xx] by example.com (SMTPD32-8.00) id AD587D1017C; Wed, 04 Jun 2003 16:58:00 -0400 Message-ID: <2003063883.31625.qmail@example.com> Date: Wed, 4 Jun 2003 13:59:48 -0700 From: "sender" Subject: Daily news from your Website To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-RCPT-TO: Status: U X-UIDL: 352928421
The only part of these headers that you CANNOT forge is the Received: lines.
Notice that this message was from xx.xxx.xxx.xx, which is a BellSouth IP address. (All IP addresses are assigned to companies/countries.)
I again emphasize: the sender's EMAIL ADDRESS is SPOOFED. This is where the attacker wants you to believe the mail is coming from -- but it is NOT. The sender's email address is worthless.
2. Go to SpamCop, paste the header into their Website, and hit Interrogate. SpamCop will look up who owns the IP, and tell you who to send Abuse Reports to. On the next page, you will be able to send the correct party an Abuse Report. In your message, include the entire email you received, as well as a message, such as:
"I am receiving spoofed messages from the server addressed in the headers of this email. Please shut down this server immediately, or close the relays on the box. You are hosting a machine that is spamming and may be held liable if you refuse to correct this issue."
(continued)
Page 2
Reprinted with permission from:
Dillian Thomas, Security Advisor for
Boxart.com
ALSO SEE:
Wikipedia "Joe job"
Boxart attack
|
