SpamCop security breach

[eric]

I just received this email purporting to be from SpamCop. If it's real, it's troubling. If it's not real, it's a very good spoof, which is also troubling. There's no mention of this in the newsgroups or in the forums, nor on the announcements web page(s).

I'm purposely not posting the headers, if this is really from SpamCop management they'll recognize it and authenticate it. If it's a spoof, I'll make the headers available, but they all point to real SC IPAs. The timing might make the paranoid think it is connected with the crash and service outage for SC email filtering/webmail. (But just because you're paranoid doesn't mean you can't stumble across a coincidence now and again...)

Subject: SpamCop security breach

Date: Sat, 14 Aug 2004 00:25:43 GMT

Hello SpamCop user (or recipient of SpamCop reports),

We appologize for this email, but we felt it was important to let you know

of a recent security bug in the SpamCop codebase.

This problem was fixed within hours of its discovery, but unfortunately

your address was among the very small number that was revealed before

we were able to resolve the problem.

We want you to know that security remains our highest priority. We are

always working to ensure that your account information remains secure.

Please accept our sincere appologies for this serious oversight. If you

have any questions, comments or concerns you may reply to this email to

reach a SpamCop representative.

Thank you for your understanding,

- SpamCop management

[Ralsky's Fatal Tumor]

I just received this email purporting to be from SpamCop.  If it's real, it's troubling.  If it's not real, it's a very good spoof, which is also troubling.  There's no mention of this in the newsgroups or in the forums, nor on the announcements web page(s).

15149[/snapback]

I get the feeling that it might be related to this post here. What I don't understand is what the mail means. If it's a spoof, what are they trying to pull off? There's no request for info, no try to social engineer. If it's a legit mail, how is it helpful? I don't know how they could track which addresses had been compromised, so that makes me a little suspicious, but overall it just seems like either a) a badly worded support email or 2) a lame attempt at spooking you into discontinuing your work at SpamCop.

I wouldn't sweat it too much. If it's a spoof, they failed. If it's legit, someone will be along shortly to explain more.

[dbiel]

Appears to be a valid email - see Post #8 by Ellen

The email has also been posted in another thread as well as in a later posting in this thread see Post #6

Checking the headers they appear to be from vaild SpamCop servers.

see the following link which I think broght the issue to light BUGTRAQ: spamcop.net allows everyone to grab mail, recent vulnerability posting on Bugtraq which deals with access to the password files.

Will have to wait for management to fully validate if the message is valid.

It looks like Ralsky's Fatal Tumor types faster than I do as we seem to both be writing at the same time but he posted first.

Hind sight would tend to indicate that is is a very badly worded email.

The weird from and reply to addresses should have been explained in the body of the message. (see DavidT's post below)

What seems to be missing from the email is what if anything is the user suppose to do about it, and to what extent is the possible exposure creating a problem, potentially additional spam?

Does the user need to change or create a password?

The email seems to raise more quesitons that it answers.

[Tigerjag]

I received a copy of it. I thought it was fake because of this line -

If you

have any questions, comments or concerns you may reply to this email to

reach a SpamCop representative.

I have not replied.

[clytie]

I received it, my husband received one at the same time, as did an unused address at his work, our local ISP. I've posted in detail on the email forum, on the "Spamcop sends virus?" thread.

Although this spam doesn't ask the user to do anything much that would harm him or her, s/he is invited to reply, and the reply-to addresses are called "bounce" and "harvest", which could or could not be valid. There is a legitimate program called Harvest. It's quite confusing.

However, it could well be enough for a spammer to create this level of confusion among Spamcop members, to make us wonder, "Gee, if we can't even trust email from Spamcop..."

I gather that Spamcop may be engaged, as is their ongoing battle, in legal action with spammers. This type of email could be an effort to discredit Spamcop by a spammer.

Or maybe I'm just too paranoid ... but I've never heard a good answer to: "If I'm paranoid, how come I keep getting spam?"

I've posted the whole email, body and headers. below, even though the body was pasted above, it's easier to have it in one place. Hope that's OK. More detailed post in the Email forum, as stated above.

Hey, another thing that bugged me: spammers are so often bad or careless spellers: check out the word "appologise" at the beginning of the body! Do we get the extra "p" for free?

Thanks for posting here, my husband and I are still trying to work out this email...

from Clytie

________________________headers of suspect email pasted below_____________________

From: harvestbug[at]admin.spamcop.net

Subject: SpamCop security breach

Date: 14 August 2004 9:55:12 AM

To: clytie[at]riverland.net.au

Return-Path: <harvestbounces[at]admin.spamcop.net>

Delivered-To: clytie[at]riverland.net.au

Received: (qmail 24879 invoked from network); 14 Aug 2004 00:25:12 -0000

Received: from unknown (HELO vmx1.spamcop.net) (64.74.133.248) by 203.18.28.195 with SMTP; 14 Aug 2004 00:25:12 -0000

Received: from unknown (HELO spamcop.net) (192.168.19.201) by vmx1.spamcop.net with SMTP; 13 Aug 2004 17:25:13 -0700

Precedence: list

Message-Id: <wh411d5be8ge847[at]msgid.spamcop.net>

X-Mailer: http://www.spamcop.net/ v1.370

Hello SpamCop user (or recipient of SpamCop reports),

We appologize for this email, but we felt it was important to let you know

of a recent security bug in the SpamCop codebase.

This problem was fixed within hours of its discovery, but unfortunately

your address was among the very small number that was revealed before

we were able to resolve the problem.

We want you to know that security remains our highest priority. We are

always working to ensure that your account information remains secure.

Please accept our sincere appologies for this serious oversight. If you

have any questions, comments or concerns you may reply to this email to

reach a SpamCop representative.

Thank you for your understanding,

- SpamCop management

[DavidT]

It is probably a legitimate administrative message, and I think I can explain the "harvestbug" and "harvestbounces" addresses. As mentioned before, there was a security bug with the SpamCop system that was only recently reported and fixed. But, when the breach was made public, people were able to enter random URLs on the SpamCop site, each time displaying the actual email address of a SC user.

This could be used to "harvest" the addresses, so that's probably why the name "harvestbug" was used on these notifications, and "harvestbounces" is a secondary address to catch bounces.

DT

[Lou]

Does the user need to change or create a password?

The email seems to raise more quesitons that it answers.

Yes. Concerns are present, but the silence is deafening!

If you have any questions, comments or concerns you may reply to this email to reach a SpamCop representative.

I think I'll try that, and see if spams to my registered email address increase. At worst, it will validate my address to a spammer, and cause me to trash that address. :angry:

[Ellen]

I just received this email purporting to be from SpamCop.  If it's real,

15149[/snapback]

yes it is real -- there was a security breach and a small number of email addresses *escaped*.

[Ellen]

If it's a legit mail, how is it helpful? I don't know how they could track which addresses had been compromised, so that makes me a little suspicious, but overall it just seems like either a) a badly worded support email or 2) a lame attempt at spooking you into discontinuing your work at SpamCop.

I wouldn't sweat it too much. If it's a spoof, they failed. If it's legit, someone will be along shortly to explain more.

15150[/snapback]

It is real and we have logs and thusly could determine who to send the emails to. Some email addresses were revealed, a small number. No other information was revealed.

[Ellen]

Yes.  Concerns are present, but the silence is deafening! 

If you have any questions, comments or concerns you may reply to this email to reach a SpamCop representative.

I think I'll try that, and see if spams to my registered email address increase.  At worst, it will validate my address to a spammer, and cause me to trash that address.  :angry:

15158[/snapback]

Well I am sorry for the *defeaning silence* -- as far as I can tell the emails were sent out around 8:15 or so EDT and I had incautiously gone out to dinner and so I am slightly behind the curve on responding :-)

[Lou]

Ellen -

Thank you for your response. I did not intend my post to be a slight against you personally. However you must realize that such a significant breach of security is bound to raise concerns among members. Hopefully you noted that some of the initial queries here were unsure if the emails were real or spoofs, and the absence of a "trusted" / official note here raised even more concerns.

Yes, the emails were sent by the "real" spamcop organization. However, the critical question remains:

What, if anything, should affected members do as a result of our supposedly secure email addresses being compromised?

[kylesk]

However you must realize that such a significant breach of security is bound to raise concerns among members.

[snip]

What, if anything, should affected members do as a result of our supposedly secure email addresses being compromised?

15162[/snapback]

I agree there's a flawed model here. I suppose the good news is that this kind of thing doesn't happen enough to allow for the "practice makes perfect" improvements. YET -- I too would have preferred an URL or some other manner of notification, such as a news page -- that Spamcop updates seconds before sending off such an e-mail as corroboration. My initial response was that this notice was legitimate -- but, like the others, grew skeptical before "replying to ask questions" as the e-mail suggests. I presume that my "Held Mail" will truly overflow now? Yikes. I anxiously await what we should do now...

Kyle

[eric]

It does seem as though the worst to expect might be spammers sending email to, and forging sender addresses using, the SpamCop addresses which were harvested. According to Ellen in private email, only email addresses were revealed, no other information (passwords, secret submit address code, etc.). Only the most clueless spammers (and spammers are truly clueless) would send spam to a SpamCop email address. And it's not as though getting bombarded with errant bouncy-grams due to forged sender addresses is anything new.

Hey, maybe this is a conspiracy by the SAN storage companies to sell SC and Ironport more disk space! We'll need it for our Held Mail

[TheMadCow]

Nice to know that I'm part of "small percentage" that had their accounts compromised. This must be what it feels like to be a Microsoft user. Can't say that I like it. This is now fixed and won't happen again, yes?

Regards,

Geoff Miller

[Wazoo]

OK, dropping my hardware issues for a bit, playing a bit of catch-up and consolidation of data found here and there .....

Security breach was the now famous BugTraq entry, dealing with the password change mechanism. Yes, the mechanism was changed, but in the few hours between the published issue and the fix, there appear to have been a number of folks that were busy "trying" the exploit. So, the data "seen" pretty much appears to basically boil down to the "Welcome yourname[at]someaddress.txt" string. So worst case, some addresses may have been harvested, but that seems like a pretty useless exercise. More likely is that all these exploit attempts were just folks checking to see if it was actually true. What hasn't been seen is a rash of complaints from folks that did in fact have their passwords changed by someone else.

From data offered, it would appear that some log files have been analyzed and the range of "secret code / addresses" were sent this letter (and that includes myself) I will agree that the content, spelling, lack of some specifics did set me off seeing it also, but couldn't argue with the headers. If I had to guess, I'd say that Julian wrote it himself, and ran it through some process to reach all the 'exposed' folks, which is probably nore where his focus was placed. (again, just an opinion)

[clytie]

I'm still confused, sorry.

Is this right?

1. It is a genuine email from Spamcop, however vague and badly-spelt.

2. The people who received it did have their addresses compromised in some way.

3. This was an attempt by Spamcop to explain/communicate/apologize? It's not really very definite information of any kind, AFAI can see, that's one reason why I still feel confused about this.

4. We don't know what the next step is.

I am sure the vast majority of users here, and possibly of the global population, are less confused about this than I am: can somebody please clear this up in plain, definite language (and may I suggest, put it somewhere prominent and obvious)?

Thanks for replies, I can see you are trying to help, there's just too much cotton wool somewhere in between, quite possibly between my ears.

from Clytie

[Wazoo]

What is it in my last that seems to leave you confused?

[Ellen]

Ellen -

Yes, the emails were sent by the "real" spamcop organization.  However, the critical question remains:

What, if anything, should affected members do as a result of our supposedly secure email addresses being compromised?

15162[/snapback]

I don't think anyone should do anything as there seems to be nothing happening with the use of the email addresses. I have one of the compromised email addresses and nothing is happening with it. It happens to be an email address that has not been used for at least 2 years -- longer actually -- and nothing interesting is happening. It used to get an extremely low level of spam and still does and I can see no changes as a result of the exploit -- other then the fact that I had totally forgotten I even owned that address and when I looked at it I found some mail from 2002 that I had never answered :-) and a low level of spam dating back to 2002, 2003 ...

Compare that to a domain that I own that is not easily associated with me and never was used for any registered SC account. That domain started being dictionary attacked about 3 or 4 months ago and is now getting well over 6000 spams a day ... the domain has no website and hasn't had one for over 2 years, never had anything about SC on it ...

So I think that there is no reason to take any action now. Obviously I can't foretell the future but I think the odds are that nothing interesting will result from this.

[Ellen]

Nice to know that I'm part of "small percentage" that had their accounts compromised. This must be what it feels like to be a Microsoft user. Can't say that I like it. This is now fixed and won't happen again, yes?

Regards,

Geoff Miller

15170[/snapback]

The site has been carefully examined and we don't see that this can happen again. Obviously we take this extremely seriously. Can I guarantee that there will never ever be any problem in the future? No I can't guarantee that but I can tell you that there has been and continues to be close scrutiny of the system. The exploit was due to a url that showed the email address associated with a user ID -- nothing else. Not the password or any other information. It was *not* a break-in to the user database records.

[chazlin]

I received the same message... No mention of it on SpamCop site that I can find. Seems like a spoof, or a big problem for SpamCop. I would very much like to know which.

<Wazoo snipped entire quote of a previous posting with no additional content or purpose indocated>

[Wazoo]

I'm really trying to understand the problem here. Yes, some guy found an exploit of the "change your password" routine. This guy alleges that he contacted SpamCop, but lists addresses that would have only generated bounces, advising the use of other addresses to actually make contact .. this he did not do. Somewhere down the line, this guy posted the issue to BugTraq, which is when "Everybody" got the word. Julian "fixed" the issue within hours. However, between the time of the data going public and the fix, there were folks around the world "checking" the data to see if it was true.

As stated before, info gained was the e-mail address included in the "Welcome to SpamCop" nessage you'll see when you login into a spamcop.net page. The lack of an outcry from folks that had additional e-mail advising them that their password had been changed suggests that in all this "checking" .. there wasn't any real "action" taken by these "investigators" ....

Again, my best guess, Julian whacked on the code, got that issue resolved. Took a look at the logs and tried to come up with a sort of mail-merge listing of accounts that had been "visited" ... whipped up an e-mail to notify these folks, generated a "new" e-mail address to filter any responses directly into "that" Inbox, and then pressed the big "DO-IT" button ....

This has been addressed both here and in the newsgroups. Actually, getting a bit tired of repeating the information. Yes, it happened. Yes, even my address was allegedly in the mix of "exposed" addresses. Am I going nuts over this event? Not at all. Spammers already have and use many of my e-mail addresses. There has been no sudden and dramatic increase in my received spew. My password was not changed. My "preferences" were not touched. Bottom line, someone new might have taken the time to copy down a single e-mail address that's associated with me. As this particular address is already on a number of those make-a-million-$ CDs, I don't see this as much of an issue. End of story.

[DavidT]

I received the same message... No mention of it on SpamCop site that I can find. Seems like a spoof, or a big problem for SpamCop. I would very much like to know which.

It really was a message from the SpamCop administration, but it wasn't very well crafted, and yes, there was indeed a problem that has since been resolved...that's why they sent out those notices.

dt

[Wazoo]

and this posting just made by Julian himself over in the newsgroups;

On Sat, 14 Aug 2004 00:37:44 +0000, JohnL wrote:

> And how many people got the below?

> Where di MY address go to? What other info was disclosed?

There were about 15,000 accounts (out of some 4M) affected. I just sent a

reply to anyone who responded - copy below - which goes into some more

detail on the FAQs.

-=Julian=-

Hello again SpamCop user,

Thank you for your followup to our "SpamCop security breach" email. We

have received many requests for more information - too many to be handled

personally. I will try to address the most common questions in this email.

If your questions are still not answered, please reply again and I will do

my best to help. Please do not reply unless you really need help.

Some information here should have been included in the original email,

some was deemed too technical or confusing. The question which was

asked most often was about what information was stolen. We should have

emphasized that point: only your email address was revealed. No other

information was compromised.

-=Julian=-

Q: Was this email legitimate?

A: Unfortunately yes, SpamCop's security was breached.

Q: What information was taken?

A: Your email address only. No other information was revealed. If your

address is already "out there" in the public sphere, this will

probably not change anything and you have nothing much to worry about.

We did feel it was important to notify you of this, even though it may

not be a "big deal" for many users.

Q: Who was the address revealed to?

A: We really don't know, several IP addresses exploited the vulnerability,

but we can't know their intentions or who was controlling them - we

assume the attacking systems were being used without the owners

permission, as is common practice for spammers. Here is a list of the

main culprits: 69.93.63.178, 67.15.78.60, 221.143.42.169, 24.1.15.13,

83.108.55.36, 66.43.100.142.

Q: What will my email address be used for?

A: We can't know the intentions of the attackers. A few possibilities

have been suggested:

1) To remove you from spam lists, so as to avoid being reported.

2) To "take revenge" for reporting spam by using your address for the

return-address on spam, or simply by sending you huge amounts of

mail (mail bombing).

So far, we have seen no reports indicating how or if the addresses will

be used, but many of them are controlled by us, so we should be able to

keep track of the situation and will do what we can to mitigate the

problems (for example by using many of the compromised accounts as spam

traps.)

[ since I wrote that, one user has said he is getting many bounces, so the

return-path revenge theory is looking likely ]

Q: Which one of my email addresses was revealed?

A: The original email sent to you about the issue (not this email) was sent

to the email address which was revealed.

Q: What was the bug? How was it used?

A: Here is the original bugtraq posting about it:

http://www.securityfocus.com/archive/1/371...07/2004-08-13/0

Q: The person who found the bug claims he gave you plenty of notice. Why

didn't you act sooner?

A: Henning Schmeidehausen found the problem and tried to notify us, but

was not successful in contacting us - his email was sent to default

postmaster/abuse/info accounts, but these addresses are not monitored.

He should have received an auto-response notifying him that his mail

was not received and listing alternate methods for contacting us.

Apparently he did not see this email, or he ignored it. He did not

attempt to contact us in any other way (by calling us for instance).

In short, his original notice was not received and so nobody here was

aware of the problem until it was publicized widely on bugtraq. Once

we were finally made aware of the problem, we put a temporary fix in

place within a couple of hours.

Q: What are you doing about this?

A: First of all, we fixed the problem which led to the breach. We will also

carefully monitor those addresses which were taken that we own.

Depending on how they are used, we may respond appropriately. Our

response may include legal action against those responsible or

technical defenses. We do not want to reveal too much publicly about

what we are going to do, but suffice it to say we will continue to

monitor and pursue this.

[dbiel]

It really was a message from the SpamCop administration, but it wasn't very well crafted, and yes, there was indeed a problem that has since been resolved...that's why they sent out those notices

And what does an user who received this email message need to do: the Answer is NOTHING.

The only possible thing that a user could do would be to change their email address, and at this time, there does not appear to be any reason to do so.

The only possible side effect of the problem (and it has NOT seemed to have happened) is an increase is spam recieved.

It would have been nice if this information had been included in the email, but it was not and we can not change history.

If you still do not understand, reread the entire thread starting with the LAST one first, and then from the first to the last. There just does not seem like there is any more that can be said.

Thanks to all.

MAY THIS REST IN PEACE!!!!

[clytie]

Thankyou to the Spamcops who have made all this specific information available. It has really helped me to understand what has happened. I'm sure you've taken onboard the parts about this that didn't originally work, and will improve things accordingly, as we all do, with different problems, day by day.

If anyone is blaming you for the exploit, that's silly and not useful. I'm sure you did the best you could at the time. All I think most people have been saying, including me, is "I don't really understand what's going on: wouldn't the normal process have been to post information somehow on Spamcop where any user wouid trip over it?"

The blame for our confusion and suspicion over the email rests squarely with the spammers who misuse advisory emails. Without such experiences, we would have been able to accept the email, and reply without perceived risk.

If you ever want an email or other piece of text proofread for function (the intended effect on the audience), I'm happy to volunteer. Words, I know.

Thanks again for your efforts.

from Clytie