Could You Be Sending Spam?
It started out looking like a typical morning's e-mail--some legitimate messages, a lot of spam, and two Delivery Failure notices informing me of messages I had sent to nonexistent addresses. But the bounced messages, which appeared to have been sent from my
Some spammer had sent out this irritating advertisement so that it appeared to come from my address. These two messages bounced "back" to me because they happened to go out to bad addresses. But how many others went out to real people, some of whom may now think that I--and
The culprits probably weren't targeting us intentionally. In most cases, these bogus sender addresses are picked at random off the same list from which recipient addresses are harvested. Spammers must conceal their identity to get around filters, and the old way of doing it--inventing random addresses--doesn't work as well as it used to.
"Most systems now check to make sure the domain name is real," says John Levine, author of
These forgeries (also called
Is the practice legal? Probably not. "If you create the impression [that the spam is] coming from someone in particular, that person might have some sort of legal claim for defamation," says David E. Sorkin of the
Of course, as Levine observes, "The behavior I've seen [suggests] that spammers don't care that what they're doing is illegal."
At least one lawsuit over a forged return address was successful, though that was way back in 1997 and involved far more damage than simple inconvenience. One morning Tracy LaQuey Parker, then owner of Flowers.com (the domain name is now owned by 1800flowers.com), opened her e-mail to see thousands of bad address bounces. "You know how you feel when you get spam? When I logged into my computer ... there were over 5000 messages," she says. "I felt like I was being attacked."
The flood shut down her ISP for half a day, hurting not only her business but others as well. Then came the angry e-mail from people who believed Parker's business was acting in some pretty unsavory ways.
The court found in Parker's favor and awarded a payment of over $35,000. "We didn't recoup anywhere near the damages done to us," she says.
It's unlikely that anyone today would receive such a barrage. "Most of the recent generation of ratware [spamming software] will randomly insert addresses off the list as the purported sender," explains Andrew Barrett, executive director of the SpamCon Foundation. This technique "flies under the radar because it avoids sending [all of the] bounces to a single domain," he adds.
Still, the e-floodgates might open if someone wants to punish you for some real or imagined slight. Although rare, these attacks are notorious enough to have gained a name: joe jobs, after a particularly vicious attack against Joe Doll, proprietor of the Web hosting service Joes.com, in 1997.
Author Levine believes this is what recently happened to him. He was hit by about "100,000 bounces from spam sent from an ISP in the Netherlands, mostly to Russian addresses."
Because of his high profile in the antispam community, Levine believes, the spammer "set out to send a lot of spam and thought it would be funny if all bounces went to me."
Levine believes the extremely high bounce rate was the result of the culprit not using a list. Rather, the scheme involved "thousands of random addresses they just made up," Levine says.
Joe jobs are rare, but small and random forgeries will undoubtedly increase. According to SpamCon's Barrett, "People are going to start seeing hundreds of bounces.... As challenge/response becomes popular, we're going to see a lot more forged addresses, more bounces, and more complaints."
Can anything be done? The old rules about
Until the government or Internet businesses figure out how to stop the entire spam problem, you'll just have to grin and bear it. And if anyone complains that you sent them spam, you can send them a link to this article.