der Mouse wrote:
‘fake bounces’ are sometimes referred to as ‘Joe-job attack’
("backscatter" is also a frequently used term)
It's not clear from the context available to me whether "fake bounces"
in the original refers to mail forged to look like bounces, or bounces
of forged mail. Neither one is what I understand a joe-job to be: my
understanding of a joe-job is the attacker forging the victim's domain
into from fields, either envelope or header. The bounces resulting
from sending joe-job mail to nonworking addresses are the second kind
of "fake bounces", but a joe-job is not the same thing as the fallout
from a joe-job. (My understanding of "backscatter" is that it refers
to the second kind of "fake bounces". I've also heard/seen it called
"blowback", though I'm not sure how reasonable that is compared to
other uses of the word.)
Within context, "fake bounces" is more correctly referring to
backscatter. "joe-job" is a different concept altogether, and more
refers to a specific _intent_ of the forgery. Not all job-jobs can
cause backscatter.
As such, "are sometimes referred to as ‘Joe-job attack’" is incorrect.
A "Joe-job" is intended to cause (often purely reputational) harm to the
joe-jobbee (the forged person). The message _itself_ may yield no
direct benefit to the "job-jobber" (the person doing the forgery).
It may not be the From address. It could be links or the text of the
email. Etc.
For example, let's say you got a gmail address, and sent out, without
faking any addresses, the following email:
--------------------------------------------------
Hi, I'm Chris Lewis, I'm a member of NAMBLA, and am looking for child
porn. You can reach me at <my real address>
---------------------------------------------------
This a joe job. But can't "fake bounce"/backscatter. Any bounces are
"real".
Forging the MAIL FROM line to have my real address means that it can
"fake bounce"/backscatter. It's still a joe-job too.
Not all "fake bounces"/"backscatter" are joe-jobs and vice-versa.
As a natural consequence of phishing (attempting to fool the recipient
into giving their credentials away, and the forger derives direct
benefit from the email), the MAIL FROM address will often be of the
phished bank. But it doesn't need to be, and very often isn't. Of
course SPF only helps when it _is_ the phished bank in the MAIL FROM
address (or the phisher is stupid enough to forge some _other_ domain
that has conflicting SPF).
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg