Jump to content

looks like SpamCop report exposes my real email address to potential spammers


md60614

Recommended Posts

Hi,

I rent my own domain with mail service provided by WebHostingPad. For a couple of weeks now, I've been getting quite a few (~20/day) messages that purport (in almost every case) to be from me, to me, advertising a great new job (EXACTLY the same body, down to whitespace, except the email indicated in "please reply to" phrase and the "IDNO" of the job.

These messages are not actually coming through my mail server: "received:" in header is always a different IP addr. So far (and very thankfully), this is affecting only one of several email addresses on my domain. So I came to SpamCop to report it. (It may be relevant to note that I only use this email service for personal email: no business or web site has ever been associated with any of my email addresses.)

On SpamCop reporting site, the messages pass the filter and I can get to the page where I send the reports. When I hit the "preview reports" button, the message that will be sent to the originating domain (attached at the bottom) contains my domain name in "message id:" field and (much more troubling) my personal email address in the "from:" field (apparently because that's how they appear in the spoofed/forged email).

That's going to expose my email address to the owner of the domain. Fine if they're legitimate, but they're probably not, so now they know a human is attached to my email address, and they're likely to pile on even more spam (if not launch a DoS attack).

Is there a way to prevent SpamCop report from containing my email addr and/or domain if the email was a spoof/forgery to begin with? I've looked around in FAQ and forums, haven't found anything similar (... which I find rather surprising....).

-- mmd

email hosted through WebHostingPad (DKIM and SPF enabled)

Win7

usually Thunderbird 15.0.1, sometimes webmail interface

Comcast ISP

report as shown to me by SpamCop (real info replaced by XXX):

################################################################################

(Recipient:abuse[at]otenet.gr)

Received: from [76.16.99.252] by spamcop.net

with HTTP; Fri, 12 Oct 2012 15:54:14 GMT

From: preview[at]reports.spamcop.net

To: abuse[at]otenet.gr

Subject: [spamCop (94.66.60.219) id:preview]Get a New Job Today

Precedence: list

Message-ID: <rid_preview[at]msgid.spamcop.net>

Date: Fri, 12 Oct 2012 08:43:01 -0500

X-SpamCop-sourceip: 94.66.60.219

X-Mailer: http://www.spamcop.net/ v4.6.2.001

[ SpamCop V4.6.2.001 ]

This message is brief for your comfort. Please use links below for details.

Email from 94.66.60.219 / Fri, 12 Oct 2012 08:43:01 -0500

http://www.spamcop.net/w3m?i=zpreviewz14ad...d4f3d0b8555992z

94.66.60.219 is open proxy, see: http://www.spamcop.net/mky-proxies.html

[ Offending message ]

-------- Original Message --------

Return-path: <godliervimw[at]spcollege.edu>

Envelope-to: x

Delivery-date: Fri, 12 Oct 2012 08:43:01 -0500

Received: from ppp-94-66-60-219.home.otenet.gr ([94.66.60.219]:28127)

by server312.webhostingpad.com with esmtp (Exim 4.77) (envelope-from

<godliervimw[at]spcollege.edu>) id 1TMfW1-000N0f-2e for x; Fri,

12 Oct 2012 08:43:01 -0500

Message-ID: <5078_______4020[at]XXX.net>

Date: Fri, 12 Oct 2012 15:43:20 +0200

From: <XXX[at]XXX.net>

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2.12)

Gecko/20101027 Thunderbird/3.1.6

MIME-Version: 1.0

To: <x>

Subject: Get a New Job Today

Content-Type: text/plain; charset=UTF-8; format=flowed

Content-Transfer-Encoding: 7bit

I would like to take this time to welcome you to our hiring process

and give you a brief synopsis of the position's benefits and requirements.

If you are taking a career break, are on a maternity leave,

recently retired or simply looking for some part-time job, this position is for you.

Occupation: Flexible schedule 2 to 8 hours per day. We can guarantee a minimum 20 hrs/week occupation

Salary: Starting salary is $2000 per month plus commission, paid every month.

Business hours: 9:00 AM to 5:00 PM, MON-FRI, 9:00 AM to 1:00 PM SAT or part time (US time).

Region: United States.

Please note that there are no startup fees or deposits to start working for us.

To request an application form, schedule your interview and receive more information about this position

please reply to Madeleine[at]usajobbonline.com with your personal identification number for this position IDNO: 1912

################################################################################

Link to comment
Share on other sites

Hi mmd,

Everyone who receives spam sooner or later gets to have their address spoofed as the sender ("From:") or as the "Return-path:"/"Reply-to" addresses. Sometimes both simultaneously. But I think you're right - even if you have reporting account (http://members.spamcop.net) "Preferences" tab "Report Handling Options" link "spam Munging" option set to "Obscure identifying information" (which I think is the default) I seem to recall that SC does not munge those particular fields in the reports to abuse-handlers. Nor is that within the (limited) scope of allowable changes to munge manually (spam body only - http://www.spamcop.net/fom-serve/cache/283.html and some subsequent clarifications to be found by searching this forum).

Usually the spam run spoofing your address does not last long (and then it becomes somebody else's turm). If you feel more secure while the present situation maintains, you could withhold reports to the abuse-handlers (but still contribute to the spam statistics and blocklist weighting) by reverting to "mole reporting" (also under that "spam Munging" item).

I was a mole reporter for years before turning 180 degrees and turning off report munging entirely ("Leave spam copies intact"). I get minimal spam. The fact is spammers can track reporters if they want to (obscure codes in the message body, etc., etc.) but (for some of us) it doesn't seem to make any difference. YMMV.

Link to comment
Share on other sites

It is OK to delete your email address or personally identifying information from the the spam before you submit it for reporting.

SpamCop looks for and deletes the "To" addresses wherever they appear in the spam, but it does not look for addresses that appear in the "From" field.

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

.

Link to comment
Share on other sites

It is OK to delete your email address or personally identifying information from the the spam before you submit it for reporting....
Ah, thanks Don - evidently I had forgotten it was also permitted to alter the headers in that case.
Link to comment
Share on other sites

It is OK to delete your email address or personally identifying information from the the spam before you submit it for reporting.

Can you tell me exactly how do I do that? I can preview the report, but I don't see any way to edit the report before it's sent. (Else I wouldn't have posted in the first place.... ;)

I use FireFox as much as I can, but it doesn't seem to be any different in IE (that is, I still don't have any options to edit before sending the report).

Please advise....

-- mmd

Link to comment
Share on other sites

You are submitting spam as e-mailed attachment(s) then? You can edit whatever you paste into the webform submission box (the alternative submission method - via the member's page I was rabbiting on about above, the same place you go to validate/preview the spam submissions you had e-mailed) but I don't know of any way to edit the spam headers in a mail application.

You could "View entire message", once you're processing the "unreported spam", copy the message source, cancel the report then paste into the submission box, edit and submit again - but far easier to skip half of that simply by viewing the (full) message source in your mail application, copy then paste it into the submission box, edit and submit (and review the parse then send reports).

This whole drama should only be short-term, until "they" move on to the next spoofed sender address, if it follows the usual pattern. The next thing you might look forward to (if it is "standard") is a mass of non-delivery advices from clueless mail admins around the globe. Those are reportable too, since you never sent the messages they are bouncing and they should know better.

Steve

Link to comment
Share on other sites

You are submitting spam as e-mailed attachment(s) then?

Yes, I had been submitting in bulk as multiple attachments. I guess I won't be doing that for messages that look like they came from me (will have to do them individually, or see if I can make it work with multiples with the edits you describe above.

Thanks!

Perhaps there could be an enhancement to the program that parses the email to look for (and replace) ANY occurrence of the user's email and/or domain when preparing the report, not just in certain fields? Possibly also user's domain? Or add an "edit" button when submitting in bulk/multiple attachments? (How does one make such a request?)

-- mmd

Link to comment
Share on other sites

Posting this if anybody cares to know how I've made this easier for myself. Not elegant, definitely not all that efficient, but it is functional for my Win7/64 environment.

Set-up:

  • I downloaded "ReplaceText.vbs" from Replace Text in Plain Text Files from the Command Line and put it in a directory I can find easily.
  • I created a batch file (I call mine "process spam.bat"), in that directory, to go through all *.txt files in that directory and run them through ReplaceText for each of the strings I don't want to appear. For example:
    [at]echo off
    setlocal enabledelayedexpansion
    cd %~dp0
    for %%f in (*.txt) do (
    	ReplaceText.vbs "%%f" uname1[at]domain1.net xxx[at]xxx.xxx
    	ReplaceText.vbs "%%f" domain1.net xxx.xxx
    	ReplaceText.vbs "%%f" uname1 xxx
    	ReplaceText.vbs "%%f" uname2[at]domain2.net xxx[at]xxx.xxx
    	ReplaceText.vbs "%%f" domain2.net xxx.xxx
    	ReplaceText.vbs "%%f" uname2 xxx
    )


    Note that this will save the altered output in the original file (in-place). And that you need "%%" in a batch scri_pt to indicate a variable (rather than single %, which is what you'd use on the command line).

Now, when it's time to process spam, I

  1. save the offending emails as txt files to that directory (in Thunderbird, select the spam, right-click, "save selected messages" in "plain text format")
  2. run "process spam.bat" from that directory
  3. attach the resulting files on an email to my spamcop reporting address
  4. process on spamcop reporting web site as normal

WHOLE lot simpler and faster than trying to make the edits one-by-one.

Hope this helps someone else. :)

-- mmd

Link to comment
Share on other sites

p.s. Add "/I" at the END of each line in "process spam.bat" to make the search case-insensitive. And you must turn on headers in your email program for the txt file(s) you create to have the required information (in Thunderbird: view/headers/all).

Link to comment
Share on other sites

Thanks mmd, congratualtions on sorting out something that works for you. I'm sure any others receiving quantities of spam with their addresses forged as From:/Reply-to: would be interested too. Is this still persisting, unabated for you?

Followed your directions then emulated the process with plain text and HTML spam samples dummied to replicate the spoofed address in a small e-mailed batch and I can confirm it all "works like a bought one":

http://www.spamcop.net/sc?id=z5415053307z3...14c57cf89ae6a0z

http://www.spamcop.net/sc?id=z5415053306z7...d39155ebb3e56ez

Hmm ... should have included a sample "Content-Type: multipart/mixed" spam as well - but have no reason to suppose that would not work also.

We will have to see about including your method for retention in the permanent references - pinned at the top of this "Reporting Help" section at least.

Most users - not having their own domains - will probably not need to use/modify the batch file lines

ReplaceText.vbs "%%f" domain1.net xxx.xxx /I

ReplaceText.vbs "%%f" domain2.net xxx.xxx /I

- as that will usually munge parts of their provider's "Received:" lines as well which goes way beyond the need to protect anonymity and the detail may be found through the DNS records for the IP addresses included in those lines anyway, if RFC compliant. You are different, with your own domain and mail server, as you have explained.

If your reporting account has mailhosting set up and the parses are all good then I guess all is okay. Being a cautious type I would suggest you run it all past Don anyway - with tracking URLs like those I have posted (those are in the confirmation e-mails too - "[spamCop] has accepted n emails for processing"). His e-mail address is at the foot of his earlier post. My tests didn't use/test those lines in any event.

Thanks for the excellent follow-up and do, please, let us know of any further developments. Intrigued that you are still being hit by such spam - that's not the "usual" pattern - though some of them might try the tactic on a continuing basis, as a lame attempt to bypass user filters, benefiting from any whitelisting of the users' own addresses (most users will not have an actual need to permanently whitelist their own addresses, though some/many seem to, until they stop and think about it).

Link to comment
Share on other sites

  • 2 weeks later...

Hmm, so, it definitely worked a couple of times, but now it's not working at all. I'm still starting with txt files, still stripping out all the bits that I don't want propagated, but for the last several days, SpamCop rejects the emails when I forward them -- definitely when I send attachments in bulk, and nearly always even when I send an individual attachment. The error is:

SpamCop encountered errors while saving spam for processing:
SpamCop could not find your spam message in this email:

... Followed by multipart/MIME stuff -- clear boundaries between each message, etc. (Not that I know a lot about email formats, but it seems to be "normal," and it looks normal when I re-send the same message to another of my email accounts.)

.... but if I cut/paste the same info that I sent as an attachment into SpamCopy web-based reporting, it goes through like a charm. ?!??!

Is there somewhere I can go for help?

I'd be happy to attach or email a file if anyone wants to look at it. It's kind of a pain to have to cut/paste each of 30-some messages per day.....

Anyone? Bueller?

-- mmd

Link to comment
Share on other sites

<snip>

The error is:

SpamCop encountered errors while saving spam for processing:
SpamCop could not find your spam message in this email:

... Followed by multipart/MIME stuff -- clear boundaries between each message, etc. (Not that I know a lot about email formats, but it seems to be "normal," and it looks normal when I re-send the same message to another of my email accounts.)

.... but if I cut/paste the same info that I sent as an attachment into SpamCopy web-based reporting, it goes through like a charm. ?!??!

...No expert I, either, but it sounds as if it *might* be an extraneous blank line within the headers or no blank line between the headers and the start of the spam body.
Is there somewhere I can go for help?

<snip>

...To the SpamCop Deputies at e-mail address deputies[at]admin.spamcop.net. It may take a workday or two for them to answer, so be a little patient. :) <g>
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...