Jump to content
Sign in to follow this  
mschmitt

SpamCop email security

Recommended Posts

Hi, a few weeks ago I posted my concern about SpamCop email addresses and passwords being exposed (passed in the clear) by the SpamCop reporting system: http://forum.spamcop.net/forums/index.php?showtopic=13607.

A similar concern was posted by chriswp in March 2012: http://forum.spamcop.net/forums/index.php?showtopic=12256

And another type of security vulnerability in May: http://forum.spamcop.net/forums/index.php?showtopic=13280

None of these posts have any replies from SpamCop, the SpamCop Mail service or anyone else.

With all the recent news about email security I think this needs attention.

How can I contact someone in the SpamCop Mail service? Or get an official comment?

Share this post


Link to post
Share on other sites

The reporting system doesn't know your password, and besides, it doesn't play any part in spam reporting.

The parse deletes your email address from the report anywhere it appears in the spam, unless you have elected to not "Obscure identifying information", or unless you have cleverly entered your email address as the "Display Name" used on all outgoing report.

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

.

Share this post


Link to post
Share on other sites
...

How can I contact someone in the SpamCop Mail service? ...

Don has answered authoritatively 86437[/snapback] on the security of the reporting system. It could be even more secure than that - I have my reporting preferences, report-handling options set to "Leave spam copies intact" (that is no munging of identifying information) yet when I use the "Review reports" button (for pasted-in submissions) the review report is resolutely and comprehensively munged of such identifying data! Maybe my preferences need refreshing**. But, admittedly, those are not "https" pages.

In matters of e-mail system security and other e-mail operational matters (that is, issues other than spam reporting and SCbl issues), spamcop.net and cesmail.net users have a "problems" reporting button on their mail account page (following log-in), alternatively use http://mail.spamcop.net/contact.php OR send an e-mail to either support[at]cesmail.net or support[at]spamcop.net (those are interchangeable, both go to a cesmail.net MX). All covered in the FAQs and SCWiki but sympathetic there is rather a lot to look at in those, even with the help of the several "Search" facilities provided.

Although this is (or was set up as) an official support site for the e-mail service, there is no guarantee that a representative of the service would have seen something in the "New Feature Request" section in a timely fashion (which is dominated by suggestions for the reporting service that is run separately). But I suppose they could hardly miss it now it has been referenced in this "SpamCop Email System & Accounts" section :D

HTH

P.S. **Ah yes, refreshing ("Save Prefernces" again) worked - evidently the default is "munged" ("Obscure identifying information") and the setting can (sometimes) revert to that even though the member preference page shows otherwise - erring on the side of caution then.

Edited by Farelf

Share this post


Link to post
Share on other sites

The reporting system doesn't know your password, and besides, it doesn't play any part in spam reporting.

The parse deletes your email address from the report anywhere it appears in the spam, unless you have elected to not "Obscure identifying information", or unless you have cleverly entered your email address as the "Display Name" used on all outgoing report.

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

.

The point I'm trying to make is if you subscribe to the email service, the login to www.spamcop.net (such as for reporting held mail) is the email address and password, and the password is sent to the website in the clear.

Share this post


Link to post
Share on other sites

The point I'm trying to make is if you subscribe to the email service, the login to www.spamcop.net (such as for reporting held mail) is the email address and password, and the password is sent to the website in the clear.

So if it used https, would that be better ?

Share this post


Link to post
Share on other sites

The point I'm trying to make is if you subscribe to the email service, the login to www.spamcop.net (such as for reporting held mail) is the email address and password, and the password is sent to the website in the clear.

This has been bothering me for a long time. When I'm on certain public wi-fi hotspots, I won't anywhere near logging in to report via the webpage. I just stop reporting.

So if it used https, would that be better ?

I'd say that, plus using secure cookies, would pretty much be the entire point here. Spamcop is lagging behind the times on this.

Probably this should have been posted in a different forum though.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×