Do You Know Joe...

...Joe Job?

Before you answer the question, have a look at the following e-mail:



Is it:

1. An advert from Spamhaus?


2. Spam from Spamhaus?


3. Spam from a spammer trying to discredit Spamhaus?


4. An attempt to 'poison' spam filters?


5. A 'Joe Job'?


6. An attempted DDoS of Spamhaus's e-mail servers and telephone service?

Before I give you the correct answers, let us just look a the evidence:

The 'From:' address is bogus.
The 'Subject:' line is typically spammy.
The 'Body' of the e-mail appears to be a simple cut and paste of plain ASCII text from the Spamhaus web site.
The enticement to contact them, either via e-mail or by phone.

Why would an anti-spam service spam out a message advertising their anti-spam DNS blacklists? Doesn't make sense does it?

The answers are in, I have the golden envelope and it is time to reveal the answers, so, a quick drum roll please, maestro:

The correct answers are: 5, 3, 6 and 4, in that order. Did someone shout 'Bingo'? Sorry, wrong game! ;-)

Q: So, what is a 'Joe Job'?

A: Here's a short snippet from the Wikipedia entry for 'Joe Job':

"Online, a joe job (or Joe job) is a spam attack using spoofed sender data and aimed at tarnishing the reputation of the apparent sender and/or induce the recipients to take action against him (see also e-mail spoofing). For a related phenomenon that is not targeted directly at a particular victim, see backscatter of email spam."

So now you know. If you want to know why it is called a 'Joe Job' I suggest you take a look at the Wikipedia entry.

Over the last six months I've personally been on the receiving end of a 'Joe Job' no less than four times, each time the gap between the new one and the last one gets smaller. To deal with this I've now put in place a number of custom 'anti-bounce' filters which reject 'Joe Job' bounces at my personal mail server, so I no longer see the 'fall-out' of these attacks. More details of my current anti-spam setup can be found in my 'Experiments in Spam' posting.

Just to make it clear the size of attacks I have experienced are those that start at about 1,000 'spoofed' emails [over an hour or two] to the largest [before I put the block in place] of over 4,000 in less than ten minutes. This is on my personal home server, not a corporate one.

Why am I getting so many 'Joe Job' attacks? Probably because of the amount of spam and spammy sites I report each and every day. I seem to have been added to the 'spammers hit list'.

So, is there anything that ISPs, Companies, other organisations and individuals that run mail servers can do to stop helping the spammers who persist in 'Joe Jobbing'? Yes!

• Please, Please, Please, don't bounce spam as all you are doing is helping the 'Bad Guys and Girls' by effectively DDoSing the individual or company that is being 'Joe Jobbed'.


• If you know it is spam, from a forged address or been sent via a botnet, open relay or spam proxy, then discard/reject it instead.


• Use a good DNS blacklist such as the 'Spamhaus XBL' list as it makes the job of identifying and blocking the main ways that spam is sent nowadays a lot easier.

So, do you now know 'Joe'?