BUGTRAQ: spamcop.net allows everyone to grab mail, recent vulnerability posting on Bugtraq Options

[compsecgeek]

Has there been any comment or movement to address this issue released on Bugtraq today??

--CSG

From: Henning Schmiedehausen <hps[at]intermeta.de>
To: BUGTRAQ[at]securityfocus.com
Organization: INTERMETA - Gesellschaft fuer Mehrwertdienste mbH
Date: Tue, 10 Aug 2004 19:23:05 +0200

Hi,

spamcop.net is service for tracking Spammers. It offers free and paid
subscription services and ISP people responsible for various mail
domains can register with spamcop to be informed when spam is
originating from a local mail address.

The spamcop.net service offers an account management page on their
web site where you can reset the password. This page is reached via

SANITIZED

where <xxx> is a random number between 1 and roughly 1.6 million. This
number determines which account is selected. After doing so, everyone
can reset the password and the account mail address is displayed.

Impact: 1) Everyone can reset any spamcop password for a subscribed
user. While the user gets his new password mailed, these mails
might be simply ignored (especially in these phishing days
where everyone gets a zillion passwords mailed each day.

This allows a large DoS against spamcop and its user base.

2) By writing a simple loop, a spammer can pull all the
registered (and probably read) mail addresses from spamcop.net,
turning spamcop into a large "valid addresses for free" site.

Spamcop.net has been informed (info[at]spamcop.net, abuse[at]spamcop.net,
postmaster[at]spamcomp.net) on Jul 27th. No reaction yet.

Regards
Henning


--
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen INTERMETA GmbH
hps[at]intermeta.de +49 9131 50 654 0 http://www.intermeta.de/

RedHat Certified Engineer -- Jakarta Turbine Development -- hero for hire
Linux, Java, perl, Solaris -- Consulting, Training, Development

"Fighting for one's political stand is an honorable action, but re-
fusing to acknowledge that there might be weaknesses in one's
position - in order to identify them so that they can be remedied -
is a large enough problem with the Open Source movement that it
deserves to be on this list of the top five problems."
--Michelle Levesque, "Fundamental Issues with
Open Source Software Development"

This post has been edited by compsecgeek: Aug 10 2004, 02:37 PM

[Wazoo]

Pretty bad selection of notify addresses. Note dropped to Don & Deputies. Thanks for the heads up.

[compsecgeek]

Pretty bad selection of notify addresses.  Note dropped to Don & Deputies.  Thanks for the heads up.

No problem. I figured this would be a safe way to get the message to the appropriate parties. In his defense, I couldn't find any Security contacts listed on the website either.

--CSG

[DavidT]

Pretty bad selection of notify addresses.  Note dropped to Don & Deputies.

...and I sent one to the "support" address, just to cover the bases. This appears to be a VERY serious problem.

Also, I suggest that the URL be removed from the original post in this thread, otherwise it will soon be Google'd and become part of the searchable archive.

dt

This post has been edited by DavidT: Aug 10 2004, 02:27 PM

[compsecgeek]

Also, I suggest that the URL be removed from the original post in this thread, otherwise it will soon be Google'd and become part of the searchable archive.

I sanitized it here but If google doen't have it already, it will soon as the posting is archived at securityfocus.

--CSG

This post has been edited by compsecgeek: Aug 10 2004, 02:31 PM

[loafman]

Pretty bad selection of notify addresses.  Note dropped to Don & Deputies.  Thanks for the heads up.

These would be the RFC standard notify addresses (info is extra). Since SpamCop is in rfc-ignorant, he may have sent them knowing that they would not make it anywhere.

Plus, the one month notice to publish time is a bit on the short side.

...Ken

[DavidT]

Earlier today, the URL in the original posting, when given a proper numerical parameter at the end was indeed giving out addresses, as mentioned in the BUGTRAQ article. I just tried the URL again, with random numbers, and it's now producing an "500 Internal Server Error," so I'm pretty sure that the problem has now been fixed by an administrator.

dt

[Wazoo]

Don was aware of the issue a number of hours ago, issue was being addressed. Now I'm seeing all sorts of complaints about 500 internal erros, and I can't hit my login page either .. so it's apparent that something is going on with the database / control mode ... as far as hiding things ... multiple posts all afternoon over in the newsgroups, and various other places on the 'net' .. no doubt, the "bad guys" have known this for quite a while also ...

[SpamCopAdmin]

The function has been disabled while we look into it.

Unfortunately, that's all I know about it.

- Don -

[compsecgeek]

Are there any further updates as to the status of this issue?

[Wazoo]

Are there any further updates as to the status of this issue?

Apologies, I guess .... otherwise occupied of late ...

First of all, the alleged original notification went to addresses that send an auto-response with 'real' addresses to get hold of someone. The individual that allegedly reported the issue did not follow-up and use one of these 'real' addresses .. one could guess that a fake e-mail address was used, thus the responses were never seen or that info was ignored for some reason. At any rate, the SpamCop admin staff learned about the issue the same time everyone else did, Julian went to work, disabled stuff, re-wrote stuff, and the issue (though not as bad as was suggested) has been handled. All taken care of within a few hours, and that includes the time passed while waiting for someone to read their e-mail to get the 'fixed' not from Julian to begin with, then get around to saying something about it over in the newsgroups.

[Rimmel]

where <xxx> is a random number between 1 and roughly 1.6 million. This
number determines which account is selected. After doing so, everyone
can reset the password and the account mail address is displayed.

Impact: 1) Everyone can reset any spamcop password for a subscribed
user. While the user gets his new password mailed, these mails
might be simply ignored (especially in these phishing days
where everyone gets a zillion passwords mailed each day.

another reason that the IP addresses of the actual emailer/reporter should be logged!!!!!

This post has been edited by Rimmel: Aug 24 2004, 03:55 AM

[Wazoo]

another reason that the IP addresses of the actual emailer/reporter should be logged!!!!!

Don't follow your perspective. The use of logs is what allowed a follow-on e-mail to accounts that had been "looked at" while this situation was active. There are IPs associated with reports, but the flip side is that an registered SpamCop reporter can report from anywhere. So again, I don't know what your remarks are actually pointed to.

[eric]

Don't follow your perspective.  The use of logs is what allowed a follow-on e-mail to accounts that had been "looked at" while this situation was active.  There are IPs associated with reports, but the flip side is that an registered SpamCop reporter can report from anywhere.  So again, I don't know what your remarks are actually pointed to.

I believe the IP address of the reporter is recorded. Deputies have been able to confirm to me the IP address from which a report was made. Not the spam, the report.

It would seem to me to be useful information for SC to retain. For example, if a reporter is suspended because of violations, having records of the reporting IP address might be handy in deciding whether to reinstate with new magic token or continue a banishment.

Yes, a SC reporter can report from anywhere, but over time there will tend to be a pattern connecting the various IPs used by a reporter, and a departure from that pattern might indicate a breach or forgery. And fitting the pattern might indicate the need for user retraining (IMG:style_emoticons/default/wink.gif)