Joe Job is an e-mail spoofing attack in which someone sends out huge volume of emails that appear to be sent from an innocent source. Many times Joe Job occurs as an act of revenge and it's forged to take down the target's reputation online. In hosting bu

First of all, there's a discussion about this article in the forums. Please join in the discussion and help us understanding a Joe Job siatuation by providing your thoughts in the forum.

What is Joe Job

Joe Job is an e-mail spoofing attack in which someone sends out huge volume of emails that appear to be sent from an innocent source. Many times Joe Job occurs as an act of revenge and it's forged to take down the target's reputation online. In hosting business you may encounter a Joe Job conducted by an angry user you discontinued a service for or simply by a competitor who feels you've become irritatingly dangerous.

Why Should I Know About Joe Job

While it sounds something not worthy of attention right now, you might find this information very useful when it comes to the point of being a target. As already said, a Joe Job is just a regular email campaign that uses your company email address and company URL. The usual Joe Job does not send the advertising emails to hundreds, thousands or millions of email addresses but it does this multiple times per account. Possibly hundreds of copies are sent to an individual account. The sole reason of this is to irritate the recipients and to get your company into bad reputation, blacklisted and in a lot of trouble.

How do I know if I'm Joe Jobbed?

The first thing you'll notice is receiving email bounces in your inbox. As soon as you realize this it is imperative that you recognise the situation immeditately because the next phase is getting irritated emails from the recipients threating you with the court of law, blacklisting of your servers, contacting your ISP to close your service. In some cases, if you do not take any action, all of the above will apply. So stay calm and act quick!

1. Set Up a Spam Information Page

The spam email most probably includes a link to your company site. Set up an announcement on that page that will explain in brief that you are a target of an identity theft attack called Joe Job. Also explain that this is something that cannot be prevented in advance by security measures and that you're working on cutting down the malicious internet user and the spam will stop in the following few days. Remember to attach an example of the spam email with headers and explain that the source email address is spoofed. Also note that the source IP is the machine that is really sending the emails and that it does not belong to your company. Apologise the incident sincerely and ask the visitors for help.

2. Use The Possible Unsubscribe Link Into Your Advantage

Many Joe Job emails have an unsubscribe link on them that directs the user onto your server on a 404 page further frustrating the user. Take use of this URL and redirect it to your spam information page.

3. Remove All The References To Your Phone Number On Your Site

If you really want to solve this problem, remove the phone numbers on your site. Soon you'll be flooded by angry calls if you do not. You can list a voice mail number on your site in place of your phone number. Remember to put in a nice notice on the side explaining that you're under an Joe Job and that you've set up a voice mail during the attack. So you can work on stopping the attack. Also provide a link to your spam information page.

4. Give Up Your Email Account

It is useless waste of time trying to save your email account. Just give it up and set up a small autoresponder that will explain the situation and provide links to your spam information page and to your contact information page where people can find your contact form. Avoid simply providing a new email as the attacker might just switch the attack to the new email. Apologise, ask for understanding and help. Keep this email short and small as otherwise you would probably be DoSed by the amount of responders you need to send.

5. Contact Your Providers

Inform your providers that you're under an attack and that that they probably will receive complaints about you. Give them a link to your spam information page and apologise. Even though it is not your fault. Remember that the angry users will not only contact you, but your ISP, your domain provider, merchant providers and any other provider that you use on your site. Also provide valuable information on how to slow down or even stop the attack. Do not forget to provide your new email address!!!

6. Post The Joe Job on UseNet

Once you're signed in to UseNet, look for group called news.admin.net-abuse.email (Commonly called NANAE). Leave a post where you explain you're under a Joe Job and remember to provide a link to your Spam Information Page. Your post will most probably encouter sceptisism by anti-spam fanatics but just ignore it. You didn't post it for them. Your post will most probably be read by the people that run anti-spam services such as spews.org. They will not reply you but they will consider the situation before adding you to their databases as a spammer.

7. Contact The Authorities

Don't count on having any concrete help from them. The reason you contact the authorities is that you will have official records of the incident in case you need to defense yourself when a prosecution comes as an option at a later date.

Conclusion

Stay calm, accept that a Joe Job cannot be prevented. Also accept that some victims of the attack will never believe you. Also remember that you will most likely get sympathy from some users. Acting fast, will minimise the losses.

I would like to get a discussion going on in the forums about this article. There are several ways of acting against this type of attack and I'm sure I didn't list all of them.

Jani Hyytiäinen
Technical Manager
Codepic Solutions
http://www.codepic.net