Spam backscatter and joe-jobs (was: Since I'm feeling lucky ...)

Benjamin Scott bscott at ntisys.com
Sat Nov 20 18:32:00 EST 2004 

  I was asked off-list about spam backscatter and joe-jobs.  Rather then
make a private reply that only helps one person, I'm posting a public one
that will hopefully inform many.

  SMTP = Simple Mail Transport Protocol.  The mechanism behind email.
  MTA = Mail Transfer Agent.  A working instance (host) of SMTP.
  MX = Mail Exchanger.  The host(s) designated to receive mail for a domain.

  The design of SMTP includes a mechanism to notify the sender when an email
message cannot be delivered.  This is called a "Delivery Status
Notification", or DSN.  DSNs indicating failure are commonly called "bounce
messages".  DSNs can also indicate successful delivery, as well as delays
and intermediate progress.

  DSNs are sent to the "SMTP reverse-path" -- essentially analogous to a
"return address" on a regular, physical mailing.  For those familiar with
the SMTP protocol, the "reverse-path" is specified by the "MAIL FROM"  
command verb.  Also as with regular mailings, in SMTP, the return address is
filled in by the sender.

  Most spam forges any and all such return addresses.  Spammers are often
involved in doings which are ethically dubious, if not outright illegal, so
it should be no surprise they try to hide their tracks.

  So, let's look at a hypothetical spammer.  They are operating a server out
of Asia that doesn't even have a domain name, let alone run an SMTP listener
on port 25.  They forge the reverse-path to be <bogus at example.com>.

  Now, let's look at a hypothetical spam attempt and rejection.  The
originator of the spam has their server connect to the destination MX.  The
SMTP protocol exchange is started.  The receiving system (the spam victim)
recognizes the message as spam during the SMTP protocol exchange, and sends
a fatal error code in response (550 is typical).  The spamming system gives
up and moves on.  This is the ideal case.

  Now let's look at another possibility.  The spammer finds an open SMTP
relay to route their mail through.  The open relay now contacts the 
destination MX.  Again, the destination MX rejects the mail.  This time, 
though, the rejection is to the intermediate relay.  Said relay looks at the 
return-path and attempts to send a DSN to <bogus at example.com>.  The MXes for 
the <example.com> domain get hammered with hundreds, if not thousands, of 
DSNs for mail which was never sent by people in that domain.

  That is backscatter.  So-called because the DSNs come back from a spam
message, but from scattered systems all over the world.  Some systems get
more backscatter then they get spam.  More get more backscatter then they
get legitimate mail.

  Backscatter is bad enough when it goes to an invalid address.  But what
if, instead of <bogus at example.com>, the spammer used <jsmith at example.com> --
the address of the overworked system administrator there?  Well, then that
poor guy receives all of the backscatter DSNs in his own mailbox, as dozens
or hundreds of bounce messages for mail he never sent.

  That is a "joe-job".  Some only consider it a "joe-job" if the forgery was 
deliberately targeted (i.e., the spammer's intent was to make life miserable 
for the owner of the address being forged).  Others includes instances where 
the address was chosen at random by the spammer.  

  Joe-job victims get more then just backscatter.  People who receive the 
spam and don't know the "From" address can be forged will reply with 
anything from confusion to threats.  System operators who really should know 
better might blacklist the victim, or even actively attack them.

  The original joe-job is described at <http://www.joes.com/spammed.html>.

  The moral of this story is: While sending nasty responses to spam might 
seem like a good idea, it very rarely is.

  More information can be found using Google.  See also:

news:news.admin.net-abuse.email (NANAE)
http://www.nanae.org/ - Web home page for NANAE
http://www.spamfaq.net/ - FAQ for NANAE
http://www.cauce.org/ - Coalition Against Unsolicited Commercial Email
http://spam.abuse.net/ - Popular anti-spam site

  Good luck.  You'll need it.

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |

More information about the gnhlug-discuss mailing list