spam backscatter and joe-jobs

< home

So; it looks like someone is sending spam... from your email address

the symptoms 

You're suddenly getting lots of "bounced" emails with subjects like "DELIVERY FAILURE", "Undelivered mail returned to sender", even some "Out of the office" notices... but when you open the email, the original sent message was a spam message.  What's worse, it looks like you sent it.  You might just get a few of these bounces.  Or you might get a few hundred, a few thousand, or a few hundred thousand.

Because there are tons of emails going out with your email on them, you'll probably also get more regular spam.

You may also get emailed complaints from the people receiving the spam... though by now, most people are used to it.  They don't write back.

In the worst case scenario, your ISP may be foolish enough to think you actually sent it, and might send you a warning of some kind or threaten to cut off your service (or you might have your normal email blacklisted by other ISPs who don't understand the situation).  This isn't so much of a problem nowadays, either.  ISPs have learned that spam is almost never sent by the person whose email address is on the "Reply-To" line.

the causes

Don't panic - this does not mean that the spammers have hacked into your computer or email server and are sending spam using your email account.  (It's also possible that your computer or server has been hacked... but you need a good working virus scanner to detect that - you won't see bounces in your email inbox).

The real reason is that email can be sent with any return address that the spammers choose.  They usually choose a reply-to address one of three ways:

  • They pick a domain name, and use a bunch of randomly generated usernames @ those domain names.  For example, they might pick clickityclack.org and generate emails using common names (john@clickityclak.org, mary@clicketyclak.org), or just totally random (qwpf@clickityclak.org).  Generally they'll use a set of domain names, not just one.
  • They use real email address already on their spam lists -- so if they picked up the email sales@clickityclak.org from scanning websites, they might use that as a reply-to address, among other victims' emails.
  • They use the emails of people they don't like, such as prominent anti-spammers.  Many users of the Blue Security anti-spam system (BlueFrog) found their emails used this way.

terminology 

The last, more malicious method (when they use your address specifically to harm you) is called a joe job, named after the first known victim of a large-scale attack in 1997.

The rest of it, an unpleasant side effect of spammers' efforts to avoid filters, is called spam backscatter.

It's all just more UCE: unsolicited commercial email.  It gets to you a little less directly (and can harm you a little more), but it's still spam, and it's still illegal.

what you can do

If you are reporting spam to any anti-spam service, you should report spam backscatter emails as well.  Try to avoid the bounces that don't contain any of original message (for example, the out-of-office replies), because these generally don't contain useful information - but if you're getting thousands and can't sort through them, just try to report as many as you can.

If you're a webmaster, you'll save yourself a lot of headaches if you turn off wildcard email aliases for your domains.  If anything @ yourdomain will be delivered to you, when your domain gets chosen by a spammer, you'll be getting a lot of bounces.  If you need that feature enabled, then watch out for the flood, and remove the wildcard for a few days when it starts.

I have some advice for handling large quantities of spam specifically in Mozilla Thunderbird... see "Tips" on the KnujOn Thunderbird Extension page.

more info

Want to learn more about spam backscatter and joe jobs?