Jump to content

BUGTRAQ: spamcop.net allows everyone to grab mail


compsecgeek

Recommended Posts

Has there been any comment or movement to address this issue released on Bugtraq today??

--CSG

From: Henning Schmiedehausen <hps[at]intermeta.de>

To: BUGTRAQ[at]securityfocus.com

Organization: INTERMETA - Gesellschaft fuer Mehrwertdienste mbH

Date: Tue, 10 Aug 2004 19:23:05 +0200

Hi,

spamcop.net is service for tracking Spammers. It offers free and paid

subscription services and ISP people responsible for various mail

domains can register with spamcop to be informed when spam is

originating from a local mail address.

The spamcop.net service offers an account management page on their

web site where you can reset the password. This page is reached via

SANITIZED

where <xxx> is a random number between 1 and roughly 1.6 million. This

number determines which account is selected. After doing so, everyone

can reset the password and the account mail address is displayed.

Impact: 1) Everyone can reset any spamcop password for a subscribed

user. While the user gets his new password mailed, these mails

might be simply ignored (especially in these phishing days

where everyone gets a zillion passwords mailed each day.

This allows a large DoS against spamcop and its user base.

2) By writing a simple loop, a spammer can pull all the

registered (and probably read) mail addresses from spamcop.net,

turning spamcop into a large "valid addresses for free" site.

Spamcop.net has been informed (info[at]spamcop.net, abuse[at]spamcop.net,

postmaster[at]spamcomp.net) on Jul 27th. No reaction yet.

Regards

Henning

--

Dipl.-Inf. (Univ.) Henning P. Schmiedehausen INTERMETA GmbH

hps[at]intermeta.de +49 9131 50 654 0 http://www.intermeta.de/

RedHat Certified Engineer -- Jakarta Turbine Development -- hero for hire

Linux, Java, perl, Solaris -- Consulting, Training, Development

"Fighting for one's political stand is an honorable action, but re-

fusing to acknowledge that there might be weaknesses in one's

position - in order to identify them so that they can be remedied -

is a large enough problem with the Open Source movement that it

deserves to be on this list of the top five problems."

--Michelle Levesque, "Fundamental Issues with

Open Source Software Development"

Link to comment
Share on other sites

Pretty bad selection of notify addresses.  Note dropped to Don & Deputies.  Thanks for the heads up.

14955[/snapback]

No problem. I figured this would be a safe way to get the message to the appropriate parties. In his defense, I couldn't find any Security contacts listed on the website either.

--CSG

Link to comment
Share on other sites

Pretty bad selection of notify addresses.  Note dropped to Don & Deputies.

14955[/snapback]

...and I sent one to the "support" address, just to cover the bases. This appears to be a VERY serious problem.

Also, I suggest that the URL be removed from the original post in this thread, otherwise it will soon be Google'd and become part of the searchable archive.

dt

Link to comment
Share on other sites

Also, I suggest that the URL be removed from the original post in this thread, otherwise it will soon be Google'd and become part of the searchable archive.

14957[/snapback]

I sanitized it here but If google doen't have it already, it will soon as the posting is archived at securityfocus.

--CSG

Link to comment
Share on other sites

Pretty bad selection of notify addresses.  Note dropped to Don & Deputies.  Thanks for the heads up.

These would be the RFC standard notify addresses (info is extra). Since SpamCop is in rfc-ignorant, he may have sent them knowing that they would not make it anywhere.

Plus, the one month notice to publish time is a bit on the short side.

...Ken

Link to comment
Share on other sites

Earlier today, the URL in the original posting, when given a proper numerical parameter at the end was indeed giving out addresses, as mentioned in the BUGTRAQ article. I just tried the URL again, with random numbers, and it's now producing an "500 Internal Server Error," so I'm pretty sure that the problem has now been fixed by an administrator.

dt

Link to comment
Share on other sites

Don was aware of the issue a number of hours ago, issue was being addressed. Now I'm seeing all sorts of complaints about 500 internal erros, and I can't hit my login page either .. so it's apparent that something is going on with the database / control mode ... as far as hiding things ... multiple posts all afternoon over in the newsgroups, and various other places on the 'net' .. no doubt, the "bad guys" have known this for quite a while also ...

Link to comment
Share on other sites

Are there any further updates as to the status of this issue?

Apologies, I guess .... otherwise occupied of late ...

First of all, the alleged original notification went to addresses that send an auto-response with 'real' addresses to get hold of someone. The individual that allegedly reported the issue did not follow-up and use one of these 'real' addresses .. one could guess that a fake e-mail address was used, thus the responses were never seen or that info was ignored for some reason. At any rate, the SpamCop admin staff learned about the issue the same time everyone else did, Julian went to work, disabled stuff, re-wrote stuff, and the issue (though not as bad as was suggested) has been handled. All taken care of within a few hours, and that includes the time passed while waiting for someone to read their e-mail to get the 'fixed' not from Julian to begin with, then get around to saying something about it over in the newsgroups.

Link to comment
Share on other sites

  • 2 weeks later...
where <xxx> is a random number between 1 and roughly 1.6 million. This

number determines which account is selected. After doing so, everyone

can reset the password and the account mail address is displayed.

Impact: 1) Everyone can reset any spamcop password for a subscribed

user. While the user gets his new password mailed, these mails

might be simply ignored (especially in these phishing days

where everyone gets a zillion passwords mailed each day.

another reason that the IP addresses of the actual emailer/reporter should be logged!!!!!

Link to comment
Share on other sites

another reason that the IP addresses of the actual emailer/reporter should be logged!!!!!

Don't follow your perspective. The use of logs is what allowed a follow-on e-mail to accounts that had been "looked at" while this situation was active. There are IPs associated with reports, but the flip side is that an registered SpamCop reporter can report from anywhere. So again, I don't know what your remarks are actually pointed to.

Link to comment
Share on other sites

Don't follow your perspective.  The use of logs is what allowed a follow-on e-mail to accounts that had been "looked at" while this situation was active.  There are IPs associated with reports, but the flip side is that an registered SpamCop reporter can report from anywhere.  So again, I don't know what your remarks are actually pointed to.

15728[/snapback]

I believe the IP address of the reporter is recorded. Deputies have been able to confirm to me the IP address from which a report was made. Not the spam, the report.

It would seem to me to be useful information for SC to retain. For example, if a reporter is suspended because of violations, having records of the reporting IP address might be handy in deciding whether to reinstate with new magic token or continue a banishment.

Yes, a SC reporter can report from anywhere, but over time there will tend to be a pattern connecting the various IPs used by a reporter, and a departure from that pattern might indicate a breach or forgery. And fitting the pattern might indicate the need for user retraining ;)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...