SpamCop security breach, Is it real, or a really good spoof? Options

[eric]

I just received this email purporting to be from SpamCop. If it's real, it's troubling. If it's not real, it's a very good spoof, which is also troubling. There's no mention of this in the newsgroups or in the forums, nor on the announcements web page(s).

I'm purposely not posting the headers, if this is really from SpamCop management they'll recognize it and authenticate it. If it's a spoof, I'll make the headers available, but they all point to real SC IPAs. The timing might make the paranoid think it is connected with the crash and service outage for SC email filtering/webmail. (But just because you're paranoid doesn't mean you can't stumble across a coincidence now and again...)

(IMG:style_emoticons/default/ph34r.gif)


Subject: SpamCop security breach
Date: Sat, 14 Aug 2004 00:25:43 GMT

Hello SpamCop user (or recipient of SpamCop reports),

We appologize for this email, but we felt it was important to let you know
of a recent security bug in the SpamCop codebase.

This problem was fixed within hours of its discovery, but unfortunately
your address was among the very small number that was revealed before
we were able to resolve the problem.

We want you to know that security remains our highest priority. We are
always working to ensure that your account information remains secure.

Please accept our sincere appologies for this serious oversight. If you
have any questions, comments or concerns you may reply to this email to
reach a SpamCop representative.

Thank you for your understanding,

- SpamCop management

[Ralsky's Fatal Tumor]

I just received this email purporting to be from SpamCop.  If it's real, it's troubling.  If it's not real, it's a very good spoof, which is also troubling.  There's no mention of this in the newsgroups or in the forums, nor on the announcements web page(s).

I get the feeling that it might be related to this post here. What I don't understand is what the mail means. If it's a spoof, what are they trying to pull off? There's no request for info, no try to social engineer. If it's a legit mail, how is it helpful? I don't know how they could track which addresses had been compromised, so that makes me a little suspicious, but overall it just seems like either a) a badly worded support email or 2) a lame attempt at spooking you into discontinuing your work at SpamCop.

I wouldn't sweat it too much. If it's a spoof, they failed. If it's legit, someone will be along shortly to explain more.

[dbiel]

Appears to be a valid email - see Post #8 by Ellen
The email has also been posted in another thread as well as in a later posting in this thread see Post #6
Checking the headers they appear to be from vaild SpamCop servers.

see the following link which I think broght the issue to light BUGTRAQ: spamcop.net allows everyone to grab mail, recent vulnerability posting on Bugtraq which deals with access to the password files.

Will have to wait for management to fully validate if the message is valid.

It looks like Ralsky's Fatal Tumor types faster than I do as we seem to both be writing at the same time but he posted first.

Hind sight would tend to indicate that is is a very badly worded email.
The weird from and reply to addresses should have been explained in the body of the message. (see DavidT's post below)
What seems to be missing from the email is what if anything is the user suppose to do about it, and to what extent is the possible exposure creating a problem, potentially additional spam?
Does the user need to change or create a password?
The email seems to raise more quesitons that it answers.

This post has been edited by dbiel: Aug 13 2004, 09:26 PM

[Tigerjag]

I received a copy of it. I thought it was fake because of this line -


If you
have any questions, comments or concerns you may reply to this email to
reach a SpamCop representative.

I have not replied.

[clytie]

I received it, my husband received one at the same time, as did an unused address at his work, our local ISP. I've posted in detail on the email forum, on the "Spamcop sends virus?" thread.

Although this spam doesn't ask the user to do anything much that would harm him or her, s/he is invited to reply, and the reply-to addresses are called "bounce" and "harvest", which could or could not be valid. There is a legitimate program called Harvest. It's quite confusing.

However, it could well be enough for a spammer to create this level of confusion among Spamcop members, to make us wonder, "Gee, if we can't even trust email from Spamcop..."

I gather that Spamcop may be engaged, as is their ongoing battle, in legal action with spammers. This type of email could be an effort to discredit Spamcop by a spammer.

Or maybe I'm just too paranoid ... but I've never heard a good answer to: "If I'm paranoid, how come I keep getting spam?" (IMG:style_emoticons/default/biggrin.gif)

I've posted the whole email, body and headers. below, even though the body was pasted above, it's easier to have it in one place. Hope that's OK. More detailed post in the Email forum, as stated above.

Hey, another thing that bugged me: spammers are so often bad or careless spellers: check out the word "appologise" at the beginning of the body! Do we get the extra "p" for free?

Thanks for posting here, my husband and I are still trying to work out this email...

from Clytie

________________________headers of suspect email pasted below_____________________

From: harvestbug[at]admin.spamcop.net
Subject: SpamCop security breach
Date: 14 August 2004 9:55:12 AM
To: clytie[at]riverland.net.au
Return-Path: <harvestbounces[at]admin.spamcop.net>
Delivered-To: clytie[at]riverland.net.au
Received: (qmail 24879 invoked from network); 14 Aug 2004 00:25:12 -0000
Received: from unknown (HELO vmx1.spamcop.net) (64.74.133.248) by 203.18.28.195 with SMTP; 14 Aug 2004 00:25:12 -0000
Received: from unknown (HELO spamcop.net) (192.168.19.201) by vmx1.spamcop.net with SMTP; 13 Aug 2004 17:25:13 -0700
Precedence: list
Message-Id: <wh411d5be8ge847[at]msgid.spamcop.net>
X-Mailer: http://www.spamcop.net/ v1.370

Hello SpamCop user (or recipient of SpamCop reports),

We appologize for this email, but we felt it was important to let you know
of a recent security bug in the SpamCop codebase.

This problem was fixed within hours of its discovery, but unfortunately
your address was among the very small number that was revealed before
we were able to resolve the problem.

We want you to know that security remains our highest priority. We are
always working to ensure that your account information remains secure.

Please accept our sincere appologies for this serious oversight. If you
have any questions, comments or concerns you may reply to this email to
reach a SpamCop representative.

Thank you for your understanding,

- SpamCop management

[DavidT]

It is probably a legitimate administrative message, and I think I can explain the "harvestbug" and "harvestbounces" addresses. As mentioned before, there was a security bug with the SpamCop system that was only recently reported and fixed. But, when the breach was made public, people were able to enter random URLs on the SpamCop site, each time displaying the actual email address of a SC user.

This could be used to "harvest" the addresses, so that's probably why the name "harvestbug" was used on these notifications, and "harvestbounces" is a secondary address to catch bounces.

DT

[Lou]

Does the user need to change or create a password?
The email seems to raise more quesitons that it answers.

Yes. Concerns are present, but the silence is deafening! (IMG:style_emoticons/default/huh.gif)

If you have any questions, comments or concerns you may reply to this email to reach a SpamCop representative.

I think I'll try that, and see if spams to my registered email address increase. At worst, it will validate my address to a spammer, and cause me to trash that address. (IMG:style_emoticons/default/mad.gif)

[Ellen]

I just received this email purporting to be from SpamCop.  If it's real,

yes it is real -- there was a security breach and a small number of email addresses *escaped*.

[Ellen]

If it's a legit mail, how is it helpful? I don't know how they could track which addresses had been compromised, so that makes me a little suspicious, but overall it just seems like either a) a badly worded support email or 2) a lame attempt at spooking you into discontinuing your work at SpamCop.

I wouldn't sweat it too much. If it's a spoof, they failed. If it's legit, someone will be along shortly to explain more.

[/quote]


It is real and we have logs and thusly could determine who to send the emails to. Some email addresses were revealed, a small number. No other information was revealed.

[Ellen]

Yes.  Concerns are present, but the silence is deafening!  (IMG:style_emoticons/default/huh.gif)

If you have any questions, comments or concerns you may reply to this email to reach a SpamCop representative.

I think I'll try that, and see if spams to my registered email address increase.  At worst, it will validate my address to a spammer, and cause me to trash that address.  (IMG:style_emoticons/default/mad.gif)

Well I am sorry for the *defeaning silence* -- as far as I can tell the emails were sent out around 8:15 or so EDT and I had incautiously gone out to dinner and so I am slightly behind the curve on responding :-)

[Lou]

Ellen -

Thank you for your response. I did not intend my post to be a slight against you personally. However you must realize that such a significant breach of security is bound to raise concerns among members. Hopefully you noted that some of the initial queries here were unsure if the emails were real or spoofs, and the absence of a "trusted" / official note here raised even more concerns.

Yes, the emails were sent by the "real" spamcop organization. However, the critical question remains:
What, if anything, should affected members do as a result of our supposedly secure email addresses being compromised?

[kylesk]

However you must realize that such a significant breach of security is bound to raise concerns among members.
[snip]
What, if anything, should affected members do as a result of our supposedly secure email addresses being compromised?

I agree there's a flawed model here. I suppose the good news is that this kind of thing doesn't happen enough to allow for the "practice makes perfect" improvements. YET -- I too would have preferred an URL or some other manner of notification, such as a news page -- that Spamcop updates seconds before sending off such an e-mail as corroboration. My initial response was that this notice was legitimate -- but, like the others, grew skeptical before "replying to ask questions" as the e-mail suggests. I presume that my "Held Mail" will truly overflow now? Yikes. I anxiously await what we should do now...

Kyle

[eric]

It does seem as though the worst to expect might be spammers sending email to, and forging sender addresses using, the SpamCop addresses which were harvested. According to Ellen in private email, only email addresses were revealed, no other information (passwords, secret submit address code, etc.). Only the most clueless spammers (and spammers are truly clueless) would send spam to a SpamCop email address. And it's not as though getting bombarded with errant bouncy-grams due to forged sender addresses is anything new.

Hey, maybe this is a conspiracy by the SAN storage companies to sell SC and Ironport more disk space! We'll need it for our Held Mail (IMG:style_emoticons/default/biggrin.gif)

[TheMadCow]

Nice to know that I'm part of "small percentage" that had their accounts compromised. This must be what it feels like to be a Microsoft user. Can't say that I like it. This is now fixed and won't happen again, yes?

Regards,

Geoff Miller

[Wazoo]

OK, dropping my hardware issues for a bit, playing a bit of catch-up and consolidation of data found here and there .....

Security breach was the now famous BugTraq entry, dealing with the password change mechanism. Yes, the mechanism was changed, but in the few hours between the published issue and the fix, there appear to have been a number of folks that were busy "trying" the exploit. So, the data "seen" pretty much appears to basically boil down to the "Welcome yourname[at]someaddress.txt" string. So worst case, some addresses may have been harvested, but that seems like a pretty useless exercise. More likely is that all these exploit attempts were just folks checking to see if it was actually true. What hasn't been seen is a rash of complaints from folks that did in fact have their passwords changed by someone else.

From data offered, it would appear that some log files have been analyzed and the range of "secret code / addresses" were sent this letter (and that includes myself) I will agree that the content, spelling, lack of some specifics did set me off seeing it also, but couldn't argue with the headers. If I had to guess, I'd say that Julian wrote it himself, and ran it through some process to reach all the 'exposed' folks, which is probably nore where his focus was placed. (again, just an opinion)

[clytie]

I'm still confused, sorry. (IMG:style_emoticons/default/sad.gif)

Is this right?

1. It is a genuine email from Spamcop, however vague and badly-spelt.

2. The people who received it did have their addresses compromised in some way.

3. This was an attempt by Spamcop to explain/communicate/apologize? It's not really very definite information of any kind, AFAI can see, that's one reason why I still feel confused about this.

4. We don't know what the next step is.

I am sure the vast majority of users here, and possibly of the global population, are less confused about this than I am: can somebody please clear this up in plain, definite language (and may I suggest, put it somewhere prominent and obvious)?

Thanks for replies, I can see you are trying to help, there's just too much cotton wool somewhere in between, quite possibly between my ears.

from Clytie (IMG:style_emoticons/default/unsure.gif)

This post has been edited by clytie: Aug 14 2004, 04:59 AM

[Wazoo]

What is it in my last that seems to leave you confused?

[Ellen]

Ellen -

Yes, the emails were sent by the "real" spamcop organization.  However, the critical question remains:
What, if anything, should affected members do as a result of our supposedly secure email addresses being compromised?

I don't think anyone should do anything as there seems to be nothing happening with the use of the email addresses. I have one of the compromised email addresses and nothing is happening with it. It happens to be an email address that has not been used for at least 2 years -- longer actually -- and nothing interesting is happening. It used to get an extremely low level of spam and still does and I can see no changes as a result of the exploit -- other then the fact that I had totally forgotten I even owned that address and when I looked at it I found some mail from 2002 that I had never answered :-) and a low level of spam dating back to 2002, 2003 ...

Compare that to a domain that I own that is not easily associated with me and never was used for any registered SC account. That domain started being dictionary attacked about 3 or 4 months ago and is now getting well over 6000 spams a day ... the domain has no website and hasn't had one for over 2 years, never had anything about SC on it ...

So I think that there is no reason to take any action now. Obviously I can't foretell the future but I think the odds are that nothing interesting will result from this.

[Ellen]

Nice to know that I'm part of "small percentage" that had their accounts compromised. This must be what it feels like to be a Microsoft user. Can't say that I like it. This is now fixed and won't happen again, yes?

Regards,

Geoff Miller

The site has been carefully examined and we don't see that this can happen again. Obviously we take this extremely seriously. Can I guarantee that there will never ever be any problem in the future? No I can't guarantee that but I can tell you that there has been and continues to be close scrutiny of the system. The exploit was due to a url that showed the email address associated with a user ID -- nothing else. Not the password or any other information. It was *not* a break-in to the user database records.

[chazlin]

I received the same message... No mention of it on SpamCop site that I can find. Seems like a spoof, or a big problem for SpamCop. I would very much like to know which.

<Wazoo snipped entire quote of a previous posting with no additional content or purpose indocated>

This post has been edited by Wazoo: Aug 16 2004, 03:33 PM