The list owner posted a message about using good passwords so your account isn't hacked since that causes problems for everyone.
Of course, that's good advice and using good passwords is always a good idea. But I though this sounded more like a Joe-job spam, in which the spammer forges the From address to look like it's coming from someone else.
Normal users encounter this in two ways:
- You start getting tons of bounce messages that look as though you sent spam to hundreds of people and they're refusing it.
- You see spam that looks like it came from a friend of yours, or spam on a mailing list that looks like it came from a legitimate member of that list.
Since this sort of attack is so common, I felt the victim didn't deserve being harangued about not having set up a good password. So I posted a short note to the list explaining about Joe-jobs. But to make the point, I forged the From address of the list owner. Indeed, it got through Yahoo and out to the list just fine:
[ ... ] the spam probably wasn't from a bad password. It was probably just a spammer forging the header to look like it's from a legitimate user. It's called a "joe-job": http://en.wikipedia.org/wiki/Joe-job
To illustrate, I've changed the From address on this message to look like it's coming from Adam. I have not hacked [listowner]'s account or guessed his password or anything else. If this works, and looks like it came from [listowner], then the spam could have been done the same way -- and there's no need to blame the owner of the account, or accuse them of having a bad password.
Why does this work? Why doesn't Yahoo just block messages from email@example.com if the mail doesn't come from isp.com?
They can't! Many, many people don't send mail from the domains in their email addresses. In effect, people forge their From header all the time. Here are some examples:
- You're using firstname.lastname@example.org, but you're using Thunderbird or Eudora or Evolution or something to read and send mail from home.
- You're on your computer at home, but you're sending work-related email from your work account.
- You're on your laptop, using Thunderbird or whatever, mailing from email@example.com, but you're at a friend's house or a hotel or conference or somewhere.
- You're sending mail from a public terminal somewhere (eek, do people really type their mail info in to these things?)
- You're reading and sending mail from a mobile phone.
- You're sending mail from your own domain, firstname.lastname@example.org, but you're at home or somewhere else other than wherever mydomain.com is hosted.
If mailing lists rejected posts in all these cases, people would be pretty annoyed. So they don't. But that means that now and then, some Joe-job spam gets through to mailing lists. Unfortunately.
(Update: The message that inspired this may very well have been a hacked password after all case, based on the mail headers. But I found that a lot of people didn't know about Joe-jobbing, so I thought this was worth writing up anyway.)
[ 21:28 Apr 13, 2010 More tech/email | permalink to this entry ]