Joe Job – Use of a Fake Return Address in a Spam Message

A Joe job is the use of a fake return address in a spam message to make the message look like it’s coming from a domain or sender other than the spammer. A Joe job can be an intentional thing where the actual sender is attempting to make the owner of the falsely-used domain name look bad or it can be an unintentional thing where the faked return address has been randomly selected. Most Joe jobs are the latter as the associated spam messages typically link to some temporary Internet address not under the control of the Joe-jobbed domain. Intentional Joe jobs will typically contain links back to the Joe-jobbed domain and contain material that’s designed to elicit the largest indignant response (e.g., porn, a Nigerian scam message, or some phishing scheme like an order confirmation that asks you to confirm a credit card number).

The term Joe job comes about as a result of the first general attack of this nature. Joe Doll, Webmaster of Joe’s CyberpostWeb Link removed a user’s account due to that user spamming others. The user, in retaliation, forged the “reply-to” headers in the next spam so that the message appeared to come from The response from users was angry and was the target of denial-of-service attacks; even though Joe Doll had not sent the message.

If you receive a message of the type described above just delete it. Don’t bother complaining to the site in the headers as those are forged. Don’t bother complaining to the provider where the Joe-jobbed domain is hosted; since the headers are forged this site is not to blame for the spam. Don’t bother to respond to the message as that just further clogs up the Internet with more junk mail; the person you are responding to is innocent. Just delete the message and move on to the next one.

Because the Internet was not designed with secure and verifiable communication in mind (e.g., the protocols used were designed largely for scientists to exchange research data and notes) there is little one can do about a Joe job. Headers are too easily forged to guarantee their accuracy at the receiver’s end of the pipe. Sender Policy Framework (SPF) was developed as one possible curb to Joe jobs. Using SPF the receiving mail server is supposed to consult the SPF record associated with the domain name in the header to see if the message came from a legally-defined sender for that domain name. But, SPF is not universally used, is not available to all domain names, and has holes of its own.

So, the answer still rests with users simply ignoring spam and deleting it when it gets through whatever filters are in place.

Note: Computer Knowledge ( gets hit with a Joe job attack several times a year; probably because I write about such things. Be advised that Computer Knowledge does not spam and does not send out any unsolicited mail. We no longer have a newsletter and maintain no database of E-mail addresses. In short, if you got any unsolicited mail with a return address then it didn’t come from here; it’s a Joe job and you should ignore and delete it.

More Information