Jump to content

FR: aditional email protection in reports


cabbey

Recommended Posts

Lately I've seen a rise in the instances of my email address being passed along in the spam reports instead of being obfuscated with X.

This is happening in two locations lately:

1. the from header, usually looking like: $random_first_name $random_last_name <my_address[at]my.domain>, but I've also seen the address "encoded" as my_address_my_domain[at]bogus.domain, or as naimod.ym[at]sserdda_ym.$random_country_code (turn the address around backwards and slap on a random country code.) I've probably seen this in 70 to 80 spams this week.

2. the subject. This one I've only seen once, and it was mirrored backwards as above.

Can we please get the obfuscator updated with these new tricks? especially the from header, since it seems common all of a sudden.

Link to comment
Share on other sites

... in the meantime - are you aware you're allowed to 'manually' munge your name-address in spam? There are some limits/qualifications which you need to be aware of if you want to do that and it may not be practicable, especially if you are submitting by email - just checking. A recent discussion was http://forum.spamcop.net/forums/index.php?showtopic=10296

Also, what you see before you submit/release the report may not reflect the munging that is applied to the material sent out - though a report preview should show that, also the saved tracking URL version of the spam will show the full munging (when the browser address window is showing "http://www.spamcop.net/sc?id=z... ...z" as opposed to "http://members.spamcop.net/sc?id=z... ...z"). Have you verified it is as unmunged as it first appears? From what you say, it probably is, just checking again.

I confess I am no longer sure about the "From:", "Reply-To:" and "Return-Path:" headers. It has been said they are never munged but I imagine I have seen otherwise.

You have, of course, got your preferences set to munge your reports? That is the default. There is a school of thought (most/many of the 'old hands') that it is unnecessary to munge - but others disagree.

Link to comment
Share on other sites

... in the meantime - are you aware you're allowed to 'manually' munge your name-address in spam? There are some limits/qualifications which you need to be aware of if you want to do that and it may not be practicable, especially if you are submitting by email - just checking. A recent discussion was http://forum.spamcop.net/forums/index.php?showtopic=10296

Yep, aware of that... and as you say it's not practical anyway.

Also, what you see before you submit/release the report may not reflect the munging that is applied to the material sent out - though a report preview should show that, also the saved tracking URL version of the spam will show the full munging (when the browser address window is showing "http://www.spamcop.net/sc?id=z... ...z" as opposed to "http://members.spamcop.net/sc?id=z... ...z"). Have you verified it is as unmunged as it first appears? From what you say, it probably is, just checking again.

Yeah, the report preview on the report page shows several addresses munged, but not these ones. The few past reports I've looked at have always matched what the preview showed.

Link to comment
Share on other sites

I confess I am no longer sure about the "From:", "Reply-To:" and "Return-Path:" headers. It has been said they are never munged but I imagine I have seen otherwise.

Back in December 2008 I posted trackers in the newsgroup for an example pair in one of which the "From:" was not munged (which is what commonly happens) and in the other the munging occured. They were otherwise very similar and no one had any suggestions as to why.

Yes, "Return-Path:" can be munged and is, even in a case where "From:" is not.

Link to comment
Share on other sites

Back in December 2008 I posted trackers in the newsgroup for an example pair in one of which the "From:" was not munged (which is what commonly happens) and in the other the munging occured. They were otherwise very similar and no one had any suggestions as to why.

Yes, "Return-Path:" can be munged and is, even in a case where "From:" is not.

Thanks michaelanglo, that must be part of what I was half-remembering. So the request would be for consistent munging in headers (address fields and any others, including "Subject:" specifically) and munging in body (HTML as well as text parts) when "Preferences->Reporting preferences->spam Munging" is set to "Obscure identifying information" and where 'identifying information' is the e-mail address or the left-hand (user-name) part of the address (or the reversed form of either/both), when alone or included in other strings. Phew.

Doesn't hurt to ask (and this is certainly the right forum to do that) but I suggest any reporter seriously concerned about munging NOT hold their breath waiting ... and, even if munging is upgraded, I must point out what has been said many times before - if "they" want to identify "your" spam by its content then there are potentially an almost infinite number of (other) opportunities to make that content unique and therefore "identifiable". Overcoming such would be an "arms race" SC could not possibly win although "they" would probably like very much for SC to try. "Their" fundamental problem in all of this is to get their hands on the reports to ISPs, so a huge part of it would be all bluff (which would be much more in keeping with the presumed typical spammer "business plan") since SC tries quite hard to ensure that doesn't happen. Just my opinion, but one I think shared by others.

NOT to detract from the suggestion, which has been put seriously, goes in part to the consistency of 'advertized function' and should be seriously considered accordingly - just saying anyone really concerned, with reason, about the spammer identifying their address and (somehow) accessing reports to ISPs to do so should probably upgrade their filtering/refrain from sending such reports/change to 'mole' status ... whatever, munging might be a thin defense in those few cases, dealing with atypical spammers - but I still think mostly they are typical spammers just puffing themselves up. Or, in the case of those 'only' consistently forging the reporter's own address for "From:" etc., cluelessly trying to slip through on whitelists.

Link to comment
Share on other sites

Yeah Farelf, consistency is what I'd like to see.

And there are certainly ways for the spammers to uniquely identify who they sent to other than this, so yeah, I'm not holding my breath on this as some form of crucial defense mechanism. But I do think a lot of spammers are "in cohouts" with their ISPs and are being fed these reports. About the only change in my reporting behavior now is to not report spammed websites as much when I see my email in the clear in the report.

In all reality, I'm finding that the mailhosts support, now that I have it configured, is cutting back on the reports back to the folks I think are the spammers pretty well... or at least it's cutting back on the 'noise' reports going to innocent networks named in the forged headers. A win either way.

Link to comment
Share on other sites

...In all reality, I'm finding that the mailhosts support, now that I have it configured, ... (is) cutting back on the 'noise' reports going to innocent networks named in the forged headers. ...
That's exactly what mailhosting is all about, but that's another story. FWIW I fully support your request about putting consistency into the munging, just to make that clear to others reading here and in case their stamina fails in trying to get that far. :D

[edit] Title subject added to aid future searches

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...