Compromised Accounts, BackScatter Activity or Joe-Jobs?
A number of other campuses have been experiencing large volumes of unexplained nondelivery messages in their user's inboxes. These nondelivery (or “bounced”) messages typically from MAILER-DAEMON appear to indicate that the user has been sending spam to external servers, and the messages have been rejected by the remote servers. (These attacks are also hitting ISPs; I have recently also been receiving a large volume of such bounceback messages in my Comcast.net account for instance.)
These messages have been the source of confusion and concern for the people who receive them and they may often contact a Help Desk with the belief their account has been compromised or hijacked. In fact, in most cases, the users’ accounts have not been compromised.
As you know the nature of the e-mail systems, there are no restrictions on what e-mail address is designated as the “from” address in external e-mail. This means that if a spammer elects to forge a SFSU e-mail address as the “from” address for spam messages, there is nothing preventing the spammer from doing so.
Over the past several weeks, it appears that more and more spammers are doing this, as well as selling such information to execute what is known as a JoeJob- or deliberately targeting individuals using this practice (http://en.wikipedia.org/wiki/Joe_job). This has increased the volume of "backscatter" considerably. Because many spam filtering servers around the Internet are configured to send a nondelivery report to the from address of offending messages (even if the “from” address is forged), many of these nondelivery reports are ending up in our users’ mailboxes. This general phenomenon is called backscatter spam.
Some things you can do to differentiate what might be happening:
These messages have been the source of confusion and concern for the people who receive them and they may often contact a Help Desk with the belief their account has been compromised or hijacked. In fact, in most cases, the users’ accounts have not been compromised.
As you know the nature of the e-mail systems, there are no restrictions on what e-mail address is designated as the “from” address in external e-mail. This means that if a spammer elects to forge a SFSU e-mail address as the “from” address for spam messages, there is nothing preventing the spammer from doing so.
Over the past several weeks, it appears that more and more spammers are doing this, as well as selling such information to execute what is known as a JoeJob- or deliberately targeting individuals using this practice (http://en.wikipedia.org/wiki/Joe_job). This has increased the volume of "backscatter" considerably. Because many spam filtering servers around the Internet are configured to send a nondelivery report to the from address of offending messages (even if the “from” address is forged), many of these nondelivery reports are ending up in our users’ mailboxes. This general phenomenon is called backscatter spam.
Some things you can do to differentiate what might be happening:
- if this is a backscatter problem, you will not likely have outbound spam in your SENT folder (as the account was never actually compromised and used to send spam.)
- a user who divulged sensitive information to a spear phisher or had their credentials compromised say via a keylogger, and the account is truly hijacked, will often have additional problems such as not being able to to access their account and/or will likely have have spam in their sent folder.
Labels: backscatter, bounceback, email, joe jobs, MAILER-DAEMON
posted by Mig Hofmann at
5/13/2008 11:27:00 AM
