Sabotage! Coping With The Joe Job
If you run an ecommerce Website, you probably find that competition can be very steep, especially in certain markets. Maintaining a credible reputation in world full of fly-by-night scams, and earning the trust of your visitors, can be among the most difficult aspects of Web marketing. Add competitive sabotage into the mix, and you could be in for quite a fight to keep your good name.
One particular type of sabotage you may come across has been used historically as a revenge tactic against those who have spoken out about spam and hacking; it’s called a "Joe Job". This form of sabotage is increasingly used as weapon in the online marketplace, and, if you’re unfortunate, it may one day be aimed at your Website.
Many Webmasters who have never heard of a Joe Job are learning from bitter experience just how much of a threat it can be, especially as they are ill-prepared to deal with the fallout that follows this type of attack. To deal with the Joe Job effectively, it’s necessary to understand the Joe Job before an attack.
The Joe Job â€“ Case Studies
The Joe Job is nothing new to the Internet; in fact, the phrase was coined by an attack at Joes.com in January of 1997. A spammer utilizing the free services of Joes.com had been barred from usage, and sought revenge against those responsible.
This spammer’s revenge was felt across the Web via a flood of spoofed emails sent out in the name of Joes.com in attempt to enrage recipients into taking action against the company Website, which, indeed they did.
In June of 2003, my own site, BoxedArt.com, was hit by a tremendous Joe Job, as part of a series of varied attacks. These attacks were made not by a disgruntled spammer as with Joes.com, but represented a newer implementation of the Joe Job — competitive sabotage. Over the course of our First Joe Job, we learned many tactics that helped us deal with this situation, and when the site was hit by a second Joe Job on October 28, 2003, we were able to cope with, and end the attack in a fraction of the time.
Before we discuss the measures we implemented to combat this second attack, I should explain why a Joe Job is such an efficient weapon.
The Joe Job in Detail
Essentially, a Joe Job is a very crude form of identity theft. Your email address is used as the "sender’s address" in most cases, and your Website URL is advertised, but an especially diligent and vicious attacker may even use your name in the signature of the message. The email will not only be sent to thousands, hundreds of thousands, or millions of addresses, but it will be sent multiple times — possibly dozens or hundreds — to each recipient before the attack ends.
You will first become aware that your site is the victim of a Joe Job by receiving a few bounces when you check your email. Those few bounces will be followed by hundreds, or thousands, or millions of additional bounces, which will soon be followed by unsubscribe requests, followed by complaints, followed by threats of reporting your business to the authorities, followed by threats of bodily harm, followed by all out mail bombing (the automated sending of multiple emails, often with large attachments, for the purpose of filling up or flooding your email account). Soon after this, you may begin to receive nasty phone calls if you provide your phone number on your Website, or have your phone number listed with your domain registrar.
You might expect to be contacted by your Web host and domain registrar; however, you may never receive these emails if your email account is filled with large files and profane emails. You can then expect to have your services revoked, as your service providers will, no doubt, have very strict policies against spamming. If you are ever able to clear up the situation with your service providers, you will likely find it difficult to send email or gain the trust of the public again, as your domain name will be blacklisted by many major spam filtering companies. There may also be a felling of general distrust against your company for having "engaged in illegal and misleading spam tactics". You may even find yourself subject to a heavy fine for the massive amounts of spam that was sent in your name.
This is the kind of damage that can be accomplished by a Joe Job if it is allowed to run rampant and unchallenged. However, with the methods revealed here, you will stand a more than fair chance of turning a potentially devastating assault into a mere headache.
Step 1 – Inform and fight back!
When you first become aware that you may be the victim of a Joe Job, you should immediately acquire and read a copy of any material that’s being mailed out in your name. This will be pretty simple, as your inbox will already be flooded with bounces of the message.
If the Joe Job is indeed an attack against your Website, your URL will be advertised within the message. As a result, some recipients will likely visit your Website, possibly to look around for a way to get off what they think is your mailing list, or to find a place to report the spam. These people are proactive types, so it’s important that you display prominently on your Website information that explains the situation to them, as well as a message that asks for their help in ending the annoyance for you and them.
First, explain that you are not the sender of the spam, and that you do not have their name on a list. You should also publish an example of the message that’s being distributed, and explain why you believe it is being sent, however, don’t name names unless you are ready to take the issue to court. Once you’ve explained, and apologized for, the situation, solicit users’ help. This will be your most valuable weapon, and may be the only way to put an end to the Joe Job!
While it is possible to forge the sender’s email address in a spam, it is NOT possible to forge the source IP of the server that sent the email. This means that the Web server that’s being exploited to send the email can be found and shut down. Many recipients of the spam will be quite motivated to end it any way possible, and if they’re at your Website, they’re already looking for a way to report the issue or take further action to end it. Below are the instructions you can provide them to do just that:
Start of instructions to provide on your Website for recipients to combat the Joe Job:
1. In your email program, enable viewing of Headers.
(Replace with the header below with one of the bounces you have received. The IP address has been replaced with xxx.xxx.xxx.xx in the example below.)
Received: from adsl-xxx-xx-xx.bgk.bellsouth.net [xx.xxx.xxx.xx] by example.com (SMTPD32-8.00) id AD587D1017C; Wed, 04 Jun 2003 16:58:00 -0400 Message-ID: <firstname.lastname@example.org> Date: Wed, 4 Jun 2003 13:59:48 -0700 From: "sender" Subject: Daily news from your Website To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-RCPT-TO: Status: U X-UIDL: 352928421
The only part of these headers that you CANNOT forge is the Received: lines.
Notice that this message was from xx.xxx.xxx.xx, which is a BellSouth IP address. (All IP addresses are assigned to companies/countries.)
I again emphasize: the sender’s EMAIL ADDRESS is SPOOFED. This is where the attacker wants you to believe the mail is coming from — but it is NOT. The sender’s email address is worthless.
2. Go to SpamCop, paste the header into their Website, and hit Interrogate. SpamCop will look up who owns the IP, and tell you who to send Abuse Reports to. On the next page, you will be able to send the correct party an Abuse Report. In your message, include the entire email you received, as well as a message, such as:
"I am receiving spoofed messages from the server addressed in the headers of this email. Please shut down this server immediately, or close the relays on the box. You are hosting a machine that is spamming and may be held liable if you refuse to correct this issue."
End of instructions to provide on your Website for recipients to combat the Joe Job
Step 2 – Look for an unsubscribe link in the email, and use it to your advantage!
Would a Joe Job-er really use an unsubscribe link in the spam he sends? In the case of the first Joe Job we experienced, that’s exactly what happened. A non-existent unsubscribe link was plucked from thin air with the intention of generating a 404 error on our company’s server, and further frustrating the recipients.
If this is done, be sure to set up a copy of your spam information page at this URL, or at least redirect this URL to your spam information page. It’s a lot more beneficial to provide these email recipients with information that can help them end the spam, than to have them reach a dead page and further infuriate them.
Step 3 – Give up the fight to save your email account!
When the first Joe Job hit our site, we tried for several days to respond to every unsubscribe request and hate email, and to delete every bounce and mail bomb that came in — we were literally replying to tens of thousands of emails every day. We spent entire days replying to recipients, so we could save our email account and keep up "business as normal" while informing all the misfortunate victims on the other side of our spam assault what was happening. But, spending all our time in front of Outlook Express in a vain attempt to save our email account, we accomplished anything but "business as usual".
Your best bet is to let the account go, and set up an auto-responder that can handle the incoming load. Procmail is a good choice for this. It’s capable of deleting the incoming mail as it arrives, and delivering an automatic message in response to all the email that comes in. Your auto-response should address the spam problem, apologize for it, and provide two URLs. The first URL should be to the spam information URL; the second should be the address of a contact form from which your business and personal contacts can still reach you.
Avoid simply providing a new email address, as the spammers may decide to switch the spoofed email address to use that new address. You may get a few complaints via the contact form you provide, but it will be only a trickle compared to the ocean of irate email you’ll avoid.
Step 4 – Accept the fact that not everybody will believe you!
No matter how heart-felt and convincing your apologies and explanations are, you will always encounter cynics and critics who will not believe you are the victim of an attack. Rather, they will continue to believe that you’re the true spammer, and that these actions are somehow of benefit to you.
When this happens, do not let their disbelief annoy you, or affect the tone of your responses to them. Even if they are rude and use profanity, you must remain polite. Eventually, you will have to give up trying to convince certain individuals, and accept that there is nothing you can do to prove to them that you’re not involved in the spam.
Step 5 – Contact your providers!
Now that you’ve spent a few minutes setting up an automatic system to deal with the incoming complaints, and to provide important information to slow down or end the spam assault, you need to take steps to ensure that your services are not interrupted. The complaints sent by the spam recipients will not only be sent to you, but to your hosting provider, domain name provider, merchant providers, and the providers of any other services you use on your Website.
You should immediately send pre-emptive emails to these organizations to explain that you are the victim of a Joe Job. Don’t forget to include a link to your spam information page! Follow up the emails with a phone call to your providers to ensure that they receive your message in a timely fashion.
Step 6 – Utilize a privacy service with your domain registration service, and remove phone numbers from your Website!
Unless you have mentally prepared yourself to handle angry phone calls at all hours of the day and night from spammed users, implement a privacy service at your domain name registrar. It’s against Internic’s Terms Of Service to provide fraudulent contact information, but many registrars, such as godaddy.com, provide a privacy service that will allow you to hide your details. The name of godaddy’s privacy service is titled "Domains by Proxy", and it costs only several dollars per year. If your registrar does not provide a similar privacy option to you, it may be in your interest to make a quick change to one that does.
Additionally, if you provide a contact phone number on your Website, it would be equally in your interest to remove it until the crisis has ended, or replace it with a number for a voice mail service only. There are several free Internet voice mail services that can provide a phone number that will send you messages via email only.
Step 7 – Post the Joe Job details on usenet!
By now, it’s likely that your Joe Job may have already hit the radar of many of the popular spam abuse services on the Internet; however, there are methods you can use to inform them of the situation.
If your Internet Service provides you with usenet access, or you have a usenet subscription, now’s the time to take advantage of this service. If you’re not sure whether your ISP offers usenet access, make a quick phone call to find out; if they do, ask how you can access it using your email client. Once you have signed in to usenet, search for a group named news.admin.net-abuse.email (commonly called N.A.N.A.E). Leave a post at the N.A.N.A.E. newsgroup with the name of your site, explain that it’s under attack by a Joe Job, and be sure to leave a link to your spam information page. Your message will likely be met with skepticism by many of the avid anti-spam fanatics that frequent this group, but your message is not meant for them. Your message will also be read by the people that run the spam services such as spews.org. These individuals will not reply, but they will read your story, and take it into consideration before placing you on a blacklist from which you may never be removed.
If you’re confronted by one of the "regulars" at the N.A.N.A.E., don’t be combative or defensive; each response you make to their questions may result in additional queries, and may end up finding yourself repeating the same answers to a callous mob. The best advice is to simply post your situation so that it’s there for the spam list operators you intended to reach.
Step 8 – Contact the authorities!
Even if you sustain substantial financial losses as a result of your attack, there is little the authorities will be able to do for you, so don’t hold your breath waiting for a resolution from them. However, there is one benefit that they can provide you, which is to create an official record of your attack. This can be very handy in the event that you need it for your defense, or prosecution becomes an option at a later date.
The agencies you should contact include:
- The Federal Bureau of Investigation
Publicly listed phone number: (202) 324-3000
This phone number will connect you to the FBI’s Washington DC office. You will need to ask them for an FBI office in your area, or you can check your local phone book for a local phone number. In some cases, the FBI may want to set up a face to face meeting with you if your losses warrant it.
- The Federal Trade Commission
Publicly listed email: UCE@FTC.GOV
The FTC is a common resources to report spam email, and your Joe Job may have been complained about to this organization. You should send them a similar email that was sent to your service providers, including your spam information page, informing them of the Joe Job attack. This will also establish a record with this organization in case it is needed at a later date.
There are many types of attacks and exploits that are preventable; unfortunately, a Joe Job is not one of them. Typically, such attacks involve numerous servers that you won’t have any direct control over, and there are no real precautions you can take against falling victim to a Joe Job.
Fortunately, though, there are methods of surviving them when they do happen. If you carefully follow the steps above, you can drastically reduce the duration and severity of damage caused by the Joe Job, in a seemingly more and more lawless cyber age.