In true UE form, the following is what the UE Staff learned when we realized that one of our email accounts was sending out spam.
As we continue to learn the ins-and-outs of managing a community-run volunteer website, we’ve come across another fascinating aspect of being an online entity: becoming the victims of a joe job / spoofing attack.
A couple months ago, our Twitter account tweeted out a spam link. We changed all our passwords and double-checked all our other accounts: everything was fine. Then, a few days later, we found an email in the spam folder of one of our accounts from ourselves with a spam link! WTF? That was accompanied by several “mail delivery messages” (also in our spam folder) that our email had labeled with a warning, “This is a fake ‘bounce’ reply to a message you didn’t actually send.”
Okay, but if we didn’t send any messages, then why did some people in our contacts—including us—receive an email?!
Sure, we’ve all seen some form of these spam emails from friends, family members, coworkers, etc. Most likely, you assume they accidentally clicked on a bad link that compromised their account, you make sure not to click the link, delete, move on, and be happy it was not your account. But what if it was your account…? Well, then, you promptly freak out.
After updating everyone with access to this email and changing all our passwords again, we started our Sherlocking.
First question: Were we hacked? Nope. We were not hacked. At the time, the majority of the members of our staff had access to this particular account so, of course, we were worried someone had been sloppy with the password. But, thankfully, most email clients (like Gmail) actually track every IP address that accesses your email (and the location, web browser, and computer type being used by said IP address.) We were able to verify every single log-in to the infected account in the last month. Not to mention we also checked all of its email history: not a single unidentifiable email was sent from the account. Just to be safe, we still changed the password (again) and deleted all its contacts. We are not ones to mess around with security!
So, if we weren’t sending it, where the frak was it coming from? According to those receiving our emails, the spam emails were being flagged in their inboxes (or were being automatically moved to their spam boxes), because the emails were not actually coming from our servers. That’s also why all record of any of this happening was in our spam box. When we investigated the headers of the spam message, we discovered that they were actually coming from an IP address originating in Kyrgystan. Awesome.
Then, we learned that a joe job is when a spamming company uses your email as a front to send out a bunch of gross links. One great analogy we ran across explained it like this: spoofing is comparable to someone sending a letter via snail mail, but they wrote your residence as the “return address” in the top left corner instead of their own. This makes the spammy email look like it’s coming from us, when we actually had nothing to do with it.
What do we think caused this? Either someone on the staff was logged into the infected email and accidentally clicked on something, or they were using a computer compromised with spyware, malware, or a virus. We had everyone who had access to the account run scans, and we did find some spyware on one staffer’s computer—we think it was probably the culprit. Either way, the spammers were able to commandeer our address book and thus send out the spam.
So what happened? Unfortunately, there is not much you can do to stave off a joe job except wait for the spammers to move on to a new victim. Fortunately, most email clients either rejected the emails outright, warned that they were not from us, or moved the emails immediately into everyone’s spam folders so they didn’t even notice. We apologized, we ignored, and we hoped it would go away soon. Thankfully, it did. In the end, the whole ordeal lasted less than a week and, from what we could tell, most of the emails were bounced back before they were delivered. We decided not to send out a mass email about the whole thing, for fear of potentially adding to the number of emails, so we wrote this article instead. The most important thing to know should this happen to you is to remind everyone not to click on the links. If no one clicks, you aren’t profitable to the spammers, and they will move on.
The silver lining? We’re a little bit more enlightened this week, and we hope we’ve enlightened you a bit on the wonderful world of spoofing. Also, if could be worse: AOL literally sent out zombie spam that same week…
Extra credit: Why is it called a joe job? Well, this is a terrifying account of what happens when someone purposefully uses your domain to sabotage your business and email as a spammer. This did not happen to us. Not that that’s going to help us sleep tonight.
Have a wonderful, spam-less week!