Jump to content

SpamCop email security


Recommended Posts

Hi, a few weeks ago I posted my concern about SpamCop email addresses and passwords being exposed (passed in the clear) by the SpamCop reporting system: http://forum.spamcop.net/forums/index.php?showtopic=13607.

A similar concern was posted by chriswp in March 2012: http://forum.spamcop.net/forums/index.php?showtopic=12256

And another type of security vulnerability in May: http://forum.spamcop.net/forums/index.php?showtopic=13280

None of these posts have any replies from SpamCop, the SpamCop Mail service or anyone else.

With all the recent news about email security I think this needs attention.

How can I contact someone in the SpamCop Mail service? Or get an official comment?

Link to comment
Share on other sites

The reporting system doesn't know your password, and besides, it doesn't play any part in spam reporting.

The parse deletes your email address from the report anywhere it appears in the spam, unless you have elected to not "Obscure identifying information", or unless you have cleverly entered your email address as the "Display Name" used on all outgoing report.

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

.

Link to comment
Share on other sites

...

How can I contact someone in the SpamCop Mail service? ...

Don has answered authoritatively 86437[/snapback] on the security of the reporting system. It could be even more secure than that - I have my reporting preferences, report-handling options set to "Leave spam copies intact" (that is no munging of identifying information) yet when I use the "Review reports" button (for pasted-in submissions) the review report is resolutely and comprehensively munged of such identifying data! Maybe my preferences need refreshing**. But, admittedly, those are not "https" pages.

In matters of e-mail system security and other e-mail operational matters (that is, issues other than spam reporting and SCbl issues), spamcop.net and cesmail.net users have a "problems" reporting button on their mail account page (following log-in), alternatively use http://mail.spamcop.net/contact.php OR send an e-mail to either support[at]cesmail.net or support[at]spamcop.net (those are interchangeable, both go to a cesmail.net MX). All covered in the FAQs and SCWiki but sympathetic there is rather a lot to look at in those, even with the help of the several "Search" facilities provided.

Although this is (or was set up as) an official support site for the e-mail service, there is no guarantee that a representative of the service would have seen something in the "New Feature Request" section in a timely fashion (which is dominated by suggestions for the reporting service that is run separately). But I suppose they could hardly miss it now it has been referenced in this "SpamCop Email System & Accounts" section :D

HTH

P.S. **Ah yes, refreshing ("Save Prefernces" again) worked - evidently the default is "munged" ("Obscure identifying information") and the setting can (sometimes) revert to that even though the member preference page shows otherwise - erring on the side of caution then.

Edited by Farelf
Link to comment
Share on other sites

The reporting system doesn't know your password, and besides, it doesn't play any part in spam reporting.

The parse deletes your email address from the report anywhere it appears in the spam, unless you have elected to not "Obscure identifying information", or unless you have cleverly entered your email address as the "Display Name" used on all outgoing report.

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

.

The point I'm trying to make is if you subscribe to the email service, the login to www.spamcop.net (such as for reporting held mail) is the email address and password, and the password is sent to the website in the clear.

Link to comment
Share on other sites

  • 4 months later...

The point I'm trying to make is if you subscribe to the email service, the login to www.spamcop.net (such as for reporting held mail) is the email address and password, and the password is sent to the website in the clear.

So if it used https, would that be better ?

Link to comment
Share on other sites

The point I'm trying to make is if you subscribe to the email service, the login to www.spamcop.net (such as for reporting held mail) is the email address and password, and the password is sent to the website in the clear.

This has been bothering me for a long time. When I'm on certain public wi-fi hotspots, I won't anywhere near logging in to report via the webpage. I just stop reporting.

So if it used https, would that be better ?

I'd say that, plus using secure cookies, would pretty much be the entire point here. Spamcop is lagging behind the times on this.

Probably this should have been posted in a different forum though.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...