It started out looking like a typical morning's e-mail--some legitimate messages, a lot of spam, and two Delivery Failure notices informing me of messages I had sent to nonexistent addresses. But the bounced messages, which appeared to have been sent from my PC World e-mail address, bore the subject "The World's smallest Digital Camera." The message hawked a product I've never seen--or written about. Some spammer had sent out this irritating advertisement so that it appeared to come from my address. These two messages bounced "back" to me because they happened to go out to bad addresses. But how many others went out to real people, some of whom may now think that I--and PC World--are in the unsolicited e-mail business?
The culprits probably weren't targeting us intentionally. In most cases, these bogus sender addresses are picked at random off the same list from which recipient addresses are harvested. Spammers must conceal their identity to get around filters, and the old way of doing it--inventing random addresses--doesn't work as well as it used to.
"Most systems now check to make sure the domain name is real," says John Levine, author of Internet Privacy for Dummies. "The easiest way to find valid addresses is a spam list."
These forgeries (also called spoofs when they forge not just the visible address but also the server of origin) might also get around the antispam challenge-and-response systems that some companies use. If you send a person enough messages that appear to come from random real people, one might be from someone they know. If Levine were a spammer, he admits, "I would send spam to everyone on the list from everyone on the list."
Is the practice legal? Probably not. "If you create the impression [that the spam is] coming from someone in particular, that person might have some sort of legal claim for defamation," says David E. Sorkin of the John Marshall Law School Center for Information Technology and Privacy Law. "But first you have to track down the person, then find the right kind of jurisdiction."
Of course, as Levine observes, "The behavior I've seen [suggests] that spammers don't care that what they're doing is illegal."
Flowers or Spam
At least one lawsuit over a forged return address was successful, though that was way back in 1997 and involved far more damage than simple inconvenience. One morning Tracy LaQuey Parker, then owner of Flowers.com (the domain name is now owned by 1-800-Flowers.com Inc.), opened her e-mail to see thousands of bad address bounces. "You know how you feel when you get spam? When I logged into my computer ... there were over 5000 messages," she says. "I felt like I was being attacked."
The flood shut down her ISP for half a day, hurting not only her business but others as well. Then came the angry e-mail from people who believed Parker's business was acting in some pretty unsavory ways.
The court found in Parker's favor and awarded a payment of over $35,000. "We didn't recoup anywhere near the damages done to us," she says.
It's unlikely that anyone today would receive such a barrage. "Most of the recent generation of ratware [spamming software] will randomly insert addresses off the list as the purported sender," explains Andrew Barrett, executive director of the SpamCon Foundation. This technique "flies under the radar because it avoids sending [all of the] bounces to a single domain," he adds.
Still, the e-floodgates might open if someone wants to punish you for some real or imagined slight. Although rare, these attacks are notorious enough to have gained a name: joe jobs, after a particularly vicious attack against Joe Doll, proprietor of the Web hosting service Joes.com, in 1997.
Author Levine believes this is what recently happened to him. He was hit by about "100,000 bounces from spam sent from an ISP in the Netherlands, mostly to Russian addresses."
Because of his high profile in the antispam community, Levine believes, the spammer "set out to send a lot of spam and thought it would be funny if all bounces went to me."
Levine believes the extremely high bounce rate was the result of the culprit not using a list. Rather, the scheme involved "thousands of random addresses they just made up," Levine says.
Joe jobs are rare, but small and random forgeries will undoubtedly increase. According to SpamCon's Barrett, "People are going to start seeing hundreds of bounces.... As challenge/response becomes popular, we're going to see a lot more forged addresses, more bounces, and more complaints."
Can anything be done? The old rules about keeping your address off the spam lists still apply: Be careful where on the Web you give your address, never use it in newsgroups, and so on. But if you're getting spam, chances are good that at some point people will think you're sending it, as well.
Until the government or Internet businesses figure out how to stop the entire spam problem, you'll just have to grin and bear it. And if anyone complains that you sent them spam, you can send them a link to this article.