Who steals my purse steals trash... / But he that filches from me my good name / Robs me of that which not enriches him / And makes me poor indeed.
Imagine this scenario: Hundreds of thousands of spam messages appear to come from your company. The ensuing flood of bounces and complaints from recipients crash your server. Outraged addressees clog your phone lines. Business grinds to a halt. Days and dollars are spent salvaging your technology, soothing complaints, and doing damage control for your brand. It's called spoofing -- and it could happen to you.
Spoof e-mail forges the sender's identity to trick the recipient into opening it (or trick a spam filter into delivering it). When recipients click on a link or attachment, they're off on a little trip to well-known circles in Internet Hell: Scam, Porn Site, Disinformation Campaign, or Virus.
Making a Federal Case Out of Spoof
"Almost none of these people are caught because few are prepared to invest what I invested," he said. "The odds are with the spammer because there's no real federal law that covers this, and this was a federal case."
Here's how the spoof unfolded: Joffe's system was suddenly overwhelmed with bounces (undeliverable messages). Recipients of the spoofed message, believing it to have come from his company, complained, which added to the e-mail deluge. Some were so outraged they phoned company executives to vent. It took a couple of hours to figure out what was happening and formulate an e-mail response template for complaints. These then had to be manually sent to tens of thousands of complainants.
The problem is real and getting worse, Joffe says. "One reason is blackhole lists, like MAPS, are being fragmented. Companies are installing their own spam filters. Spammers craft spam to get through. If you can put anything in [a return address line], you might as well put in things that will be received. .edus and .govs are very popular, so is .mil."
The How and Why of Spoof
Spam software can randomize the "from" line, so 1 million messages would not appear to come from, say, ClickZ (which would arouse the suspicion of an ISP). Randomize enough names, and the software will occasionally spit out a real one, belonging to a real company -- maybe yours.
There's some division of opinion on why spoofers choose the addresses they do. Margie Arbon, MAPS director of operations, says .edu addresses are used because universities often have open relays, so by cloaking yourself as a .edu you can get messages through them as if you were a legitimate user.
Then there are those spoofers who appropriate a real e-mail address. "Phishers" will mock up an ISP's site and e-mail you, telling you a new ID needs to be entered, with a link to the fake page provided. Once they have your password, they hack your account and send e-mail as you.
"I get a lot of bounces from mail I never sent," he told me, "but it's easy to explain to people I'm not a spammer. Customers are not that technically sophisticated. Spoofing is rarely done well -- it doesn't look professional or sophisticated. But people say, 'Oh, how nice.' Click. Boom."
As time goes on, Levine predicts, marketers are going to get more upset about spoofing, for which he says Windows security flaws are largely to blame. "Customers' perception is: If you get spam, it's fraudulent. I didn't know this company is a bunch of crooks," Levine said.
Spoofers use company names because, as Levine puts it, "most individuals don't have an identity worth defaming. You could send rude things to someone's coworkers or mother. It's well known political spam has been sent by the opposition. People do fake press releases all the time. People are a long way from understanding the way e-mail works."
Spoofers can be anyone. Spammers earn money sending massive volumes of e-mail. They can be competitors trying to cripple your business or disgruntled employees or irate customers out to "teach you a lesson." Attacks can be personally motivated or just random.
What precautions should you, as marketers, take against spoofing? What if your next bounced e-mail is from you and you never sent the message? Levine, Joffe, and Arbon gave me some suggestions:
Don't keep quiet -- whatever you do. Your company needs to acknowledge the problem, explain it to the aggrieved parties, and mop up external damage (even if internally you've taken a big hit).
Spoofers create the problem. It's up to you to provide a solution for your business -- and your brand.
Rebecca is on vacation this week. Today's column ran earlier on ClickZ.