email address shown in reports

[abakker]

An email administrator responded to a spam report that I submitted. To my surprise it showed my email address in the headers in the spam report that Spamcop had submitted. The "To" field in the email headers contained my email address and it had not been replaced or deleted. This way malicious spam sites will get my email address when I submit spam. Should Spamcop not remove my email address from the "To" field (and possibly other places)?

Andre Bakker

[StevenUnderwood]

I am going to assume you are looking at the actual report sent out and not just assuming that because the message returned to you had your address on it.

First, what kind of account do you have? Free, Paid reporting, Email with unlimited reporting?

If paid (either account), do you have the "spam Munging" set to "Leave spam copies intact" in the Preferences section?

If free or paid, do you ever check the boxes that state accept only unmunged reports?

Either of these things will leave your address available to the reportee. Personally, I do both and it has neither increased nor decreased the amount of spam I receive. It may have changed the spammers that send it to me, however, with some dropping my name and others adding it to more lists.

[abakker]

To answer your questions:

- I looked at the actual report sent out.

- I have a free account.

- I never check boxes to accept unmunged reports.

[Wazoo]

I looked at the actual report sent out.

but you don't say what you saw ....

Are you going to provide a Tracking URL of the spam report in question?

I don't know you, haven't seen past postings by you, so don't know where the comfort level might be in judging your expertise in reading headers might be. I know you state that your e-mail address is in the To: line of the original spam contained within the spam complaint. However, there is the possibility that the ISP responded to the complain, which would have gone to "report number [at] spamcop.net, which then would have been forwarded to your "registered" e-mail account .. and you're now looking at the To: line in that particular e-mail ...???

[abakker]

The ISP replied to the spam report, the email I recieved looked like this:

to: report number[at]spamcop.net

...

comment from ISP

>

> ...

> to: my_email_address

> ...

> spam message

>

In other words, my email address occured in the to: string in the quoted message included in the reply.

[Miss Betsy]

IIUC, you received a reply from an ISP who quoted the spamcop report which had your email address unmunged. Then you checked the original spamcop report and confirmed that your email address was unmunged although you never send unmunged reports and do not have that in your preferences.

Since we can't see what you see, anything that we say is a guess. The email address has to be in a certain form for spamcop to mung it, for one thing.

However, there are so many ways that if a spammer wanted to identify reporters, he could easily do so without seeing the munged spamcop addresses.

If it is an address that is already getting spam, there is little point in trying to hide the address. The reason that spamcop does it, is that in the beginning spammers thought they could stop reporting by intimidating individual reporters. That didn't work so if your address is getting spam, the spammers know it already and don't care if you report.

IOW, if this is what you are concerned about, then it probably is not something you need to be concerned about. Whether it is a bug or an instance where there is a subtle change in the email address that keeps the parser from identifying it doesn't really matter in keeping your email address from the spammers hands.

Since I didn't think that free users had access to sent reports, are you saying that you looked at the preview of the report, all was munged as usual, but when the ISP sent the reply to the report address, the report was now unmunged?

Miss Betsy

[SpamCopAdmin]

The ISP replied to the spam report, the email I recieved looked like this:

to: report number[at]spamcop.net

If you want to send me that "report number[at]spamcop.net" address, I'll be happy to look into it.

- Don -

[sundaypuncher82]

I'm pretty sure its a reply that was forwarded to you from spamcop. I recieve those too, and at first I thought they had my address. But when I went back and looked at the full headers I saw that spamcop actually sent me the email. Not sure if thats the case for you but something to look in to.

Good luck!

[abakker]

Unfortunately the actual email got automatically deleted from one of my folders. Sorry, I should have saved it. Next time I get one I'll save it and include it in the forum discussion.

Yes, the spammer has my email address, but I wondered why my email address was used several times as the sender (from field) in spam. It is my guess that some spammers use the email addresses of spamcop reporters for this. I would not like spammers to get my email address through spamcop, as this increases the changes that my email address will be misused even more.

I guess my question really is: does spamcop a global string replace of my email address before a report is sent? Could spamcop somehow have missed my email address and left it unchanged?

[Spambo]

Could spamcop somehow have missed my email address and left it unchanged?

Yes, but normally it finds the email addresses unless they are in non-standard headers or in a non-standard format (such as user#domain.tld, or ROT-13 encoded addresses). The non-standard format is often found at the end of spamvertised URLs.

If you're concerned about your address being revealed you can click on the "Preview Reports" button and use your browser's text search feature to search the reports for your email address, user name, or any other string - but this does add to the amount of time it takes to process each spam report.

Or, if you're submitting your spams at the web site, you can manually munge your email address before submitting the spam. Again this adds to the amount of time you'll spend processing your spam.

[Miss Betsy]

It is my guess that some spammers use the email addresses of spamcop reporters for this.

Spammers do not single out spamcop reporters for using their email addresses in the From.

I would not like spammers to get my email address through spamcop, as this increases the changes that my email address will be misused even more

Then you had better stop reporting. There is no way to mung reports so that the spammer (if he wants to know) cannot identify them. Most experienced reporters do not mung at all because they have discovered that it makes no difference in the amount of spam that they receive and gives a slight advantage to whitehat ISPs in finding culprits.

Miss Betsy

[abakker]

I looked at Preview Reports before submitting spam and found a report which still has my email address in it. It follows below, my email address <user[at]domain> occurs in the report. I suggest that spamcop should replace my email address. A global string replace on the entire report, not just certain headers, might be a solution.

SpamCop - your complaint has not been sent.

CLICK YOUR BROWSER'S BACK BUTTON TO SEND REPORTS!

################################################################################

(Recipient:abuse[at]nl.uu.net)

Received: from [80.127.91.214] by spamcop.net

with HTTP; Mon, 14 Jun 2004 10:06:04 GMT

From: preview[at]reports.spamcop.net

To: abuse[at]nl.uu.net

Subject: [spamCop (195.109.198.169) id:preview]Neue Voelkerwanderung droht!

Precedence: list

Message-ID: <rid_preview[at]msgid.spamcop.net>

Date: 14 Jun 2004 07:59:10 -0000

X-SpamCop-sourceip: 195.109.198.169

X-Mailer: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90; FunWebProducts-MyWay)

via http://www.spamcop.net/ v1.331

[ SpamCop V1.331 ]

This message is brief for your comfort. Please use links below for details.

Email from 195.109.198.169 / 14 Jun 2004 07:59:10 -0000

http://www.spamcop.net/w3m?i=zpreviewz14ad...d4f3d0b8555992z

[ Offending message ]

Return-Path: <boera[at]mcrz.nl>

X-Flags: 0000

Delivered-To: GMX delivery to <user[at]domain>

Received: (qmail 30886 invoked by uid 65534); 14 Jun 2004 07:59:18 -0000

Received: from postbode03.zonnet.nl (EHLO postbode03.zonnet.nl) (62.58.50.90)

by mx0.gmx.net (mx037) with SMTP; 14 Jun 2004 09:59:18 +0200

Received: (qmail 23242 invoked by uid 10); 14 Jun 2004 07:59:17 -0000

Received: (vexira-qq 23236-2D28A462 invoked from network) 14 Jun 2004 09:59:17 +0200

Received: from unknown (HELO qmail02.zonnet.nl) ([10.170.1.106])

(envelope-sender <boera[at]mcrz.nl>)

by 10.170.1.118 (qmail-ldap-1.03) with SMTP

for < >; 14 Jun 2004 07:59:17 -0000

Received: (qmail 28487 invoked by uid 32042); 14 Jun 2004 07:59:15 -0000

Received: (qmail 28359 invoked by uid 0); 14 Jun 2004 07:59:12 -0000

Received: from unknown (HELO postbus03.zonnet.nl) ([10.170.1.115])

(envelope-sender <boera[at]mcrz.nl>)

by qmail02.zonnet.nl (qmail-ldap-1.03) with SMTP

for < >; 14 Jun 2004 07:59:12 -0000

Received: (qmail 31902 invoked by uid 10); 14 Jun 2004 07:59:12 -0000

Received: (vexira-qq 31765-D67399D5 invoked from network) 14 Jun 2004 09:59:10 +0200

Received: from unknown (HELO doglomsb.nl) ([195.109.198.169])

(envelope-sender <boera[at]mcrz.nl>)

by postbus03.zonnet.nl (qmail-ldap-1.03) with SMTP

for < >; 14 Jun 2004 07:59:10 -0000

Delivered-To: x

Delivered-To: CLUSTERHOST postbus03.zonnet.nl x

Cc: recipient list not shown: ;

From: boera[at]mcrz.nl

Date: Mon, 14 Jun 2004 07:56:34 GMT

MIME-Version: 1.0

Subject: Neue Voelkerwanderung droht!

Importance: Normal

X-Priority: 3 (Normal)

Message-ID: <ab63__________________mail[at]mcrz.nl>

Content-Transfer-Encoding: 7bit

Content-Type: text/plain; charset="us-ascii"

X-AntiVirus: checked by Vexira MailArmor (version: 2.0.1.16; VAE: 6.25.0.62; VDF: 6.25.0.92; host: postbus03.zonnet.nl)

X-AntiVirus: checked by Vexira MailArmor (version: 2.0.1.16; VAE: 6.25.0.62; VDF: 6.25.0.92; host: postbode02.zonnet.nl)

X-GMX-Antivirus: -1 (not scanned, may not use virus scanner)

X-GMX-Antispam: 0 (Mail was not recognized as spam)

Lese selbst:

http://www.volksgemeinschaft.org/neuevoelk...derungdroht.htm

################################################################################

[Miss Betsy]

found a report which still has my email address in it. It follows below, my email address xxxxxxx[at]xxx.xxx

By publishing your email address in a public forum you are giving it to the spammers to harvest.

As I said before, spamcop does a minimal job of munging. The reason is to provide an unedited spam in the report. In order to effectively catch all the identifiers (some of those funny combinations of letters are your email address in code), the spam email would have to be changed substantially and be essentially unusable for an abuse desk to use to track down the culprit.

Experienced reporters do not mung anything because they have found it does not make a difference in the amount of spam they receive.

Miss Betsy

[abakker]

Well, I suggest that Spamcop would do a better job a munging. I fail to see why replacing my email address would make the spam report useless for an abuse desk.

Even if it would sometimes still be possible to find my email address, there is no reason not to make it harder. Just because it cannot be 100% perfect is not a good reason not make it better.

Munging my email address may or may not reduce the amount of spam, but it could avoid that a spammer uses my email address as the sender (From field) in future spam and could avoid telling a spammer that my email address is in use. Whether you believe spammers do this or not may make this a hypothetical question, but in my view it would be better to munge email addresses just in case.

[Miss Betsy]

On the post, there is an edit button where you can mung your email address in your previous post.

There is no particular evidence that spammers use email addresses in spam reports in the From: There is evidence that spammers simply rotate their list through the From: address. So if you are on a spammer list, then you will get your name forged in the From regardless of whether you report or JHD.

Well, I suggest that Spamcop would do a better job a munging. I fail to see why replacing my email address would make the spam report useless for an abuse desk.

In the beginning of spamcop, spammers did retaliate against reporters which is why the most obvious email addresses are munged. There are too many reporters now for spammers to make an impression with retaliation so there is little risk of allowing the spammer to know that you reported.

However, some do like to 'listwash' - remove reporters' names from their lists. It is not so much that removing all instances of one's email address that makes the spam useless for an abuse desk, it is because, in order to keep the spammer from identifying the reporter, the spam run, etc., etc. one would have to remove almost everything since codes can be inserted in almost every place in the email (except the line where your ISP stamps it received). There is no point to munging email addresses to protect you since there are innumerable ways to identify you /if/ the spammer wants to and those ways cannot be munged. If he doesn't want to, then he won't look at the unmunged email addresses. If he does want to, he will look at the other codes since he can't be sure the email addresses have not been munged.

The only reason spamcop probably still munges is because it doesn't matter much one or the other and Julian has other, more important things to think about.

If you are uncomfortable with your email address in the spamreport, then you had better stop reporting.

Miss Betsy

[StevenUnderwood]

If you are uncomfortable with your email address in the spamreport, then you had better stop reporting.

Or as I believe mentioned earlier, munge the message yourself before submitting, but make sure you do not submit that to any sites that require unmunged reports.

I do agree, however, that the

Delivered-To: GMX delivery to user[at]domain

line should be one that is munged as the later Delivered-To: lines are.

[turetzsr]

...FWIW, whenever I check the reports with "Preview Reports," my e-mail address (any all others in the "Subject," "To," "Cc" and "Bcc" lines) are munged (replaced by "x"). Admittedly, I don't check frequently.

[turetzsr]

...Ah, it happened to me today! My SMTP address was on the "From:" line and it seems to have gone to the abuse mailboxes that way.