mschmitt Posted November 2, 2013 Share Posted November 2, 2013 Hi, a few weeks ago I posted my concern about SpamCop email addresses and passwords being exposed (passed in the clear) by the SpamCop reporting system: http://forum.spamcop.net/forums/index.php?showtopic=13607. A similar concern was posted by chriswp in March 2012: http://forum.spamcop.net/forums/index.php?showtopic=12256 And another type of security vulnerability in May: http://forum.spamcop.net/forums/index.php?showtopic=13280 None of these posts have any replies from SpamCop, the SpamCop Mail service or anyone else. With all the recent news about email security I think this needs attention. How can I contact someone in the SpamCop Mail service? Or get an official comment? Link to comment Share on other sites More sharing options...
SpamCopAdmin Posted November 2, 2013 Share Posted November 2, 2013 The reporting system doesn't know your password, and besides, it doesn't play any part in spam reporting. The parse deletes your email address from the report anywhere it appears in the spam, unless you have elected to not "Obscure identifying information", or unless you have cleverly entered your email address as the "Display Name" used on all outgoing report. - Don D'Minion - SpamCop Admin - - Service[at]Admin.SpamCop.net - . Link to comment Share on other sites More sharing options...
Farelf Posted November 3, 2013 Share Posted November 3, 2013 ... How can I contact someone in the SpamCop Mail service? ... Don has answered authoritatively 86437[/snapback] on the security of the reporting system. It could be even more secure than that - I have my reporting preferences, report-handling options set to "Leave spam copies intact" (that is no munging of identifying information) yet when I use the "Review reports" button (for pasted-in submissions) the review report is resolutely and comprehensively munged of such identifying data! Maybe my preferences need refreshing**. But, admittedly, those are not "https" pages. In matters of e-mail system security and other e-mail operational matters (that is, issues other than spam reporting and SCbl issues), spamcop.net and cesmail.net users have a "problems" reporting button on their mail account page (following log-in), alternatively use http://mail.spamcop.net/contact.php OR send an e-mail to either support[at]cesmail.net or support[at]spamcop.net (those are interchangeable, both go to a cesmail.net MX). All covered in the FAQs and SCWiki but sympathetic there is rather a lot to look at in those, even with the help of the several "Search" facilities provided. Although this is (or was set up as) an official support site for the e-mail service, there is no guarantee that a representative of the service would have seen something in the "New Feature Request" section in a timely fashion (which is dominated by suggestions for the reporting service that is run separately). But I suppose they could hardly miss it now it has been referenced in this "SpamCop Email System & Accounts" section HTH P.S. **Ah yes, refreshing ("Save Prefernces" again) worked - evidently the default is "munged" ("Obscure identifying information") and the setting can (sometimes) revert to that even though the member preference page shows otherwise - erring on the side of caution then. Link to comment Share on other sites More sharing options...
mschmitt Posted November 3, 2013 Author Share Posted November 3, 2013 The reporting system doesn't know your password, and besides, it doesn't play any part in spam reporting. The parse deletes your email address from the report anywhere it appears in the spam, unless you have elected to not "Obscure identifying information", or unless you have cleverly entered your email address as the "Display Name" used on all outgoing report. - Don D'Minion - SpamCop Admin - - Service[at]Admin.SpamCop.net - . The point I'm trying to make is if you subscribe to the email service, the login to www.spamcop.net (such as for reporting held mail) is the email address and password, and the password is sent to the website in the clear. Link to comment Share on other sites More sharing options...
michaelanglo Posted March 27, 2014 Share Posted March 27, 2014 The point I'm trying to make is if you subscribe to the email service, the login to www.spamcop.net (such as for reporting held mail) is the email address and password, and the password is sent to the website in the clear. So if it used https, would that be better ? Link to comment Share on other sites More sharing options...
silentlarry Posted March 27, 2014 Share Posted March 27, 2014 The point I'm trying to make is if you subscribe to the email service, the login to www.spamcop.net (such as for reporting held mail) is the email address and password, and the password is sent to the website in the clear. This has been bothering me for a long time. When I'm on certain public wi-fi hotspots, I won't anywhere near logging in to report via the webpage. I just stop reporting. So if it used https, would that be better ? I'd say that, plus using secure cookies, would pretty much be the entire point here. Spamcop is lagging behind the times on this. Probably this should have been posted in a different forum though. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.