Here is an account of an unexpected incident that reignited my fading passion for email header analysis. And it was that… a friend of mine got a nasty headache. Ah yes, you read it right.
My friend runs a one-man-show as “the IT guy” for an organization. Every day he goes to work as energetic as he can be and returns completely drained from having to deal with the bulk of unsolicited emails (aka “spam”) that floods the company’s mail server.
But the “headache” was the result of their domain getting blacklisted.
They started receiving tons of bounced emails from mail addresses which meant nothing to them. And at times they even received mails that seemed to originate from their own domain.
He had no clue as to why their domain started receiving huge amounts of bounced back emails or why their emails were not delivered to the intended recipients.
Whilst he was trying to work out why this was happening, the poor domain was marked down for “rolling out bulk emails” and the domain was blacklisted. That explains the delivery failures.
He worked vigorously with the provider to whitelist the company’s domain; but the issue repeated itself in an uncontrolled fashion that it became a part of his routine to bail out the domain.
He wanted to find if the computers on the office network were infected by some malware and how their emails are being hacked, especially given that they have one of the best Anti-Virus products installed and a good set of security policies in place.
And his plea to take a look into the issue pushed me to awe Joe.
Scrutinizing the few email headers he showed me, I was able to identify that a rare form of spam attack nicknamed “Joe job” was causing damage to the company and its domain’s reputation.
So what actually is a “Joe job”?

A spammer can craft the email header to make it appear to come from a spoofed sender, i.e. the recipient would see something like “john@domain.com” in the “from” address but the actual sender would be someone else.
Also, the “reply-to” field can be played with so that any responses or bounce-backs would be redirected not to the address in the “from” field but to the one specified in the “reply-to” field.
Spammers use this technique for various reasons including hiding their identity, escaping the issue of handling undesired bounced-back/non-deliverable emails, skipping spam filters and stealing the victims’ bandwidth.
Here is a description of the original attack for reference: http://joes.com/spammed.html
Though the Sender Policy Framework records (SPF records allow domain owners to publish a list of IP addresses or subnets that are authorized to send email on their behalf) and security policies are properly set up, a few misses while configuring the mail server ended up feeding the domain’s reputation to spammers in this case.
It is important to remember that spam filters cannot be too rigid, but a simple rejection of bounced back emails from unknown senders could have saved the domain, to some extent, from falling prey to such spam attacks and causing a headache for my friend (although this did rejuvenate my fading passion…).
Image courtesy of:
blog.antispam.fr/wp-content/uploads/2013/03/email-bounce.jpg
Ayesha Shameena P
Threat Researcher, K7TCL
If you wish to subscribe to our blog, please add the URL provided below to your blog reader: https://labs.k7computing.com/feed

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.