I just encountered what I consider to be a major flaw/problem with the webmail system. Those of you with SC email accounts are probably aware that you can define multiple "identities" in your Options and can then send mail "From" any of those alternate identities using the webmail system. For those of us who don't give out our actual SpamCop addresses, we can still send from the webmail system, but have it look as if it's coming from one of our other third-party email addresses. It didn't occur to me, however, that our actual SC addresses are being put in the outgoing email headers on those messages....they are.

Our true addresses are being embedded in the first "Received" line, as follows:


(I've put the munged variables in green, for clarity, and the "spamcop.net" can be either that or "cesmail.net" or "cqmail.net" depending upon which SC email domain hosts your address. Also the forum software substituted "[at]" for the "@" before cesmail.net)

Even though the address is somewhat mangled in that there's an additional "@cesmail.net" appended, it's still going out in headers and I don't think that's good or necessary. The potential problem is that our address is being revealed without our consent or control and is then subject to the potential problems found on all of the other machines/networks that receive the messages we send (botnets, harvesting/spamming worms, etc.).

No wonder I now receive spams directly at my spamcop.net address! I thought it was due to some other security breech, but it's probably due to the messages I've sent out using webmail. I haven't found mention of this anywhere else yet, so if anyone can find such mention, I'd be interested. I don't think this should be happening. I think that we need to ask JT to alter the mail server so that it doesn't add our actual addresses to the Received headers.

DT

Thanks for the heads up DT.

As it happens the issue doesn't trouble me. My SC Email address is out in the world already but it could be a problem for others I guess.

Andrew

I've always equated putting my SC address "out there" to be a bit like *daring* people to spam me. I've chosen to keep it private, but SpamCop's webmail system has taken that away from me, and I'm pretty frustrated. I think I might cross-post this over in the "mail" Usenet group and see if anyone cares....I hear mostly crickets chirping around here (except for you, Andrew).

DT

Some time in the past, maybe a couple of times, I checked to see if the 'real' address was revealed in headers when sending as a different account via the web mail. And I thought it did not. So either something has changed or I did check throughly. But I always use 'find' to check for such strings, so I don't think its something I would have missed.

Anyway I'd been treating mail sent from the web mail as bullet proof re my real address, so I appreciate the heads up that it's not.

Just now I checked to see if the same thing happens when sending via the SC SMTP server, and it does not. So I'll certainly stick with that.

Not to be picky but address harvesting from spamcop reports was not the topic of this discussion.
[edit That post has been moved, pointer (in quote) has updated to new topic]
The topic refers to sending regular email from spamcop webmail. When selecting a alternate account as the 'sending' address, the user's spamcop address would be revealed in the message headers. See OP.

FYI, I just did a quick test and it appears this is no longer the case.

Can anyone confirm? DavidT?

It sure wasn't....talk about hijacking a thread....hey, Wazoo...please see if you can split off those recent off-topic posts into some other thread having to do with the new topic that crept in here.

[edit - those posts moved to http://forum.spamcop.net/forums/index.php?showtopic=9333]


Yes, that was it, exactly.


Sure can...it's been fixed...case closed. :-)

DT