What is a “Joe Job”?
Sadly, the possibility of cyber attacks is very real and can be damaging to your company’s reputation. One of the worst of such online reputational threats is the all-too-common “Joe Job” attack.
Essentially, a Joe Job attack happens when an attacker spoofs spam email from your domain. The attacker forges the emails to make it look like your company sent them. Unfortunately, email is not a very secure protocol. Anybody with even a little know-how can send email “from” whoever they want without much effort.
What to Do
Usually you become aware of such an attack when you begin receiving a flood of angry email replies. Now begins the long arduous task of saving face amongst the onslaught of defamation. It seems daunting, but we have compiled a comprehensive guide to surviving a Joe Job attack, should you be unfortunate enough to become a victim:
1. Add SPF, DMARC, and DKIM records to your DNS. These are the most important steps you can take and will stop most of the fraud immediately.
2. Create abuse@yourdomain.com and postmaster@yourdomain.com if these do not already exist. These should forward internally for analysis. This is so that information sent from SpamCop and other blacklist services is not missed. Whenever somebody submits one of the spam emails to SpamCop, real time reports will be forwarded to abuse@yourdomain.com. Fortunately, SpamCop is smart about these things and will realize that the emails are not originating from your domain.
3. Set up a spam information page with information about the attack and a form where victims can submit the header information from the offending emails to help you expedite the investigation. This helps the people who are receiving the spam. They may be hearing about your company for the first time by receiving the defaming spam. Proactive people will almost certainly be browsing your site looking for answers. It will help to provide them with the information they are looking for. Let them know that the email did not come from you and that there is something they can do to help. As you begin to receive more information it will also help with your own investigation.
4. Create an alert link from your home page that directs people to the spam information page without distracting the customers who are there under normal circumstances. The point is that you need to address the issue with an official response and a way for proactive victims to do something meaningful to help stop the attack.
5. Once people send you full header information from step 3, start researching where the attacks originate. When viewing full headers, remember the “Received” line cannot be faked. That line usually contains the originating IP address. A smart attacker may bounce emails off several “open relay” servers, hiding their true location. Even so, this information helps SpamCop build a blacklist of known “open relay” servers. That blacklist becomes highly valuable over time. Create a SpamCop account and submit every spam email you receive.
6. Notify your web host about what is going on. Even though the emails are not being sent from their servers, they should be made aware. Sometimes web hosts will help with the investigation.
7. Utilize your social networks – blogs, Facebook, Twitter, etc – to send out helpful “security” reminders, while being sure not to instill fear. The people in your own network will appreciate the information even though they most likely did not receive the spam email. The spammer usually has different targets and goals, separate from your own. It is always a good idea, though, to make sure your own customers are aware of your spam policy and that you are actively on top of keeping them safe while doing online business with you.
Other than that, be very gracious and kind to the victims who complain about getting spam from your company. Taking time to explain the nature of the problem goes a long way to prevent bad reviews and press.
