Jump to content

Spamcop giving out my email address?

paul.hunt

By paul.hunt
in SpamCop Reporting Help

Recommended Posts

paul.hunt Member

paul.hunt

Posted
Posted

I used to forward all my email, after filtering by Spamcop, to an email address that I only POP'd and used nowhere else. Ever. For any reason. Now I find that I am receiving spam addressed to that address. There are only two ways anyone could know that address. Either someone hacked my hosting service, or they got it from Spamcop. Was it perhaps not obfuscated in a report? This does not make me feel secure. :(

Paul

www.CustomSupport.com

Link to comment
Share on other sites
paul.hunt Member

paul.hunt

Posted
  • Author
Posted
and you woud have other users reply to this exactly how?

I have no idea. So you would have me just ignore it?

And yet, even starting this 'new' Topic / Query when such a recent one exists on the same page view?

You are absolutely right. I read through the topics on that page and I have no idea how I missed that. :blush:

Paul Hunt

www.CustomSupport.com

Link to comment
Share on other sites
paul.hunt Member

paul.hunt

Posted
  • Author
Posted
If the address is not a random series of letters and numbers, it is also quite possible that a dictionary attack was used.

I thought of that. But I receive all improperly addressed email sent to this domain and this was the only one not to a valid account within the past week or so. A dictionary attack would have produced many such emails.

Paul Hunt

www.CustomSupport.com

Link to comment
Share on other sites
Farelf What Life?

Farelf

Posted
Posted
... this was the only one not to a valid account within the past week or so. A dictionary attack would have produced many such emails...
So Paul, I guess you don't see anything in the previous discussions which might explain it either? Addresses in received spam can be tucked away in all sorts of places where they won't be munged (including forgeries of the "from-type" addresses in the headers - From:, Reply to:, etc.) or coded in body or header - for the spammer's "confirmation" purposes (those few that bother) - but he has to know it first. Unless you gave out unmunged reports at any stage it is hard to see how the SC reporting process could be involved in revealing that forwarding address. Have you ever seen/responded to a "refuses munged reports" notice? There was a nasty surprise in the default handling of these cases - Munging "User Notification" Reports, Starting Soon
If the ISP abuse address didn't accept munged reports, SpamCop would send the "User Notification" report un-munged without telling the user about it.
but, as that topic says, that was (apparently) fixed over a year ago.
Link to comment
Share on other sites
Miss Betsy T-shirt wearing out

Miss Betsy

Posted
Posted
Was it perhaps not obfuscated in a report? This does not make me feel secure.

What you are saying is that the spam came to other addresses, were forwarded to your spamcop account, filtered, and then pop'd by you to this email address from which you sent spamcop reports and never used this address for anything else? Is that why you call it a 'non-valid' email address? (assumption from your statement that all the other emails were to valid accounts)

I am not technically fluent, but what I think you are saying is that this email address would only appear in the headers when you pop the email from spamcop which spamcop should mung.

Are you running your mail server? If not, then perhaps whoever is running the mail server is combatting dictionary attacks and let this one through because it recognizes it from your spamcop mail in and out.

IME, spamcop will miss munging email addresses unless they are very typical uses. Again, if you aren't running your mail server, do you know if the server is adding something that spamcop would not think is typical?

Unless the email address is really unique, a spammer could guess it. Spammers do sometimes 'respond' to reports with 'spam'. Is it continuing? Are the spam similar in content or in manner of being sent? The 419 spammers take more time - for all I know, they send one variation and see if it works instead of typical dictionary attacks.

Reporting spam is never secure. Too many things can go wrong.

Miss Betsy

Link to comment
Share on other sites
Wazoo What Life?

Wazoo

Posted
Posted
I have no idea. So you would have me just ignore it?

Rather, my snipe was based on the fact that you were asking a question without any supporting data. And as noted, this specific issue comes up over and over and over .... No, I'm not a spammer, so I have no idea on the thought processes involved. Viruses, trojans, sniffing, random generating utilities, on and on ... the ways to 'come up' with an address are simply legion these days. But none of that really counts for much, as the background of your query couyld just as well have been that you were complaining about your e-mail address of jon[at]example.com, with you 'calculating' that no one in the world would have come up with using 'jon' for their address ....

Sure, I'm being a bit trite, but the point remains, there was nothing to really work with in your initial post, other than the concept of making a big sigh, and starting to type in all that ancient, previously and repeatedly posted over and over in these Forums .. just flat not in the mood ....

Link to comment
Share on other sites
paul.hunt Member

paul.hunt

Posted
  • Author
Posted
What you are saying is that the spam came to other addresses, were forwarded to your spamcop account, filtered, and then pop'd by you to this email address from which you sent spamcop reports and never used this address for anything else?

Correct.

Is that why you call it a 'non-valid' email address? (assumption from your statement that all the other emails were to valid accounts)

Sort of. This particular address WAS valid, but only in the context of my using it for Spamcop forwarding. I also have any email that is sent to a non-existant account at my domain forwarded to me. That's what I call a call a 'non-valid' email address.

I am not technically fluent, but what I think you are saying is that this email address would only appear in the headers when you pop the email from spamcop which spamcop should mung.

That email address would have only appeared in an email which SpamCop forwarded to me.

Are you running your mail server? If not, then perhaps whoever is running the mail server is combatting dictionary attacks and let this one through because it recognizes it from your spamcop mail in and out.

I am not. But other weird addresses get through, perhaps a few a week, not in any quantity which would indicate a dictionary attack. I don't think my host is running such a filter.

Unless the email address is really unique, a spammer could guess it.

Not unique. But not something I've ever seen before either. Since I don't use it anymore I don't mind mentioning it. It is clean [at] customsupport.com. Possible to guess? Sure. Likely? No.

Paul Hunt

www.CustomSupport.com

Link to comment
Share on other sites
paul.hunt Member

paul.hunt

Posted
  • Author
Posted
Rather, my snipe was based on the fact that you were asking a question without any supporting data.

I know. Sometimes I'm conflicted over whether to just start a thread or write a book. I suppose I err in both directions from time-to-time.

And as noted, this specific issue comes up over and over and over

Yeah. I got that. And I have no clue how I missed that so-recent post. Sorry.

To take this one step further...

I HAVE sent un-munged reports, though not frequently, and then only to someone like Earthlink who I would hope I could trust. Perhaps that is a mistake. So those reports could be a source.

But here's an interesting question. Would those reports include information that SpamCop added, such as an email address that it forwarded the original to? I wouldn't think it should as only the original headers would be of importance to the originating ISP. Or is that impossible to parse by the time I receive the forward?

Paul Hunt

www.CustomSupport.com

Link to comment
Share on other sites
Miss Betsy T-shirt wearing out

Miss Betsy

Posted
Posted

Since you are not running your mail server, the next line of questions need to be directed at your mail server admin. Unless you can verify that the server admin does not filter spam, dictionary attacks cannot be ruled out. The fact that you have your catchall activated and haven't had to turn it off because of spam might mean that your email is being filtered for obvious spam before you get it.

And since it was a simple, short word, there is every possibility that it was part of spammer guessing it. The only evidence you have is that there were not a deluge of non-valid addresses at the same time. I think it might make a difference if it were a 419 scam also since they will send individual email and attempt more complicated methods to find addresses than the run of the mill spam.

Another thing to see if it were deliberate and related to your spam reporting is whether they have continued? IF this email address continues to get spam - particularly of different kinds, then it is more suspicious that it was picked up than it was a random choice, I think.

All the headers are there and are in the report. Spamcop cannot allow the altering of headers for any reason because as soon as that is allowed, someone can claim that they are being targeted by someone altering headers deliberately. The only exception is the actual email address of the reporter.

Miss Betsy

Link to comment
Share on other sites
StevenUnderwood What Life?

StevenUnderwood

Posted
Posted
But here's an interesting question. Would those reports include information that SpamCop added, such as an email address that it forwarded the original to? I wouldn't think it should as only the original headers would be of importance to the originating ISP. Or is that impossible to parse by the time I receive the forward?

Spamcop is a tool. It includes the entire message you submit to it as the evidence. If you submitted a message that got through spamcop's filters to your clean address, it would include that forward as well.

Link to comment
Share on other sites
paul.hunt Member

paul.hunt

Posted
  • Author
Posted
Spamcop ... includes the entire message you submit to it as the evidence. If you submitted a message that got through spamcop's filters to your clean address, it would include that forward as well.

So reporting increases my exposure? :(

I have a number of accounts that forward to my main account. Plus I have seen spammers include my email address in the body of the spam. If I understand you correctly, none of this get munged, so the spammers are very likely to see it. :(:( So are the spammers more likely to see me as a threat because I report or a target becuase I read their stuff?

Paul Hunt

www.CustomSupport.com

Link to comment
Share on other sites
Farelf What Life?

Farelf

Posted
Posted
So reporting increases my exposure? :(...
Compared to deleting without opening/previewing? Yes.
... I have a number of accounts that forward to my main account. Plus I have seen spammers include my email address in the body of the spam. If I understand you correctly, none of this get munged, so the spammers are very likely to see it. :(:( So are the spammers more likely to see me as a threat because I report or a target becuase I read their stuff?
I think you will find your complete forwarding chain is munged too Paul. There is a provision to preview reports before they are sent (if processing is via your "submit" address or the webform paste-in). Have you not checked a sampling of your various cases by previewing? It's a long time since I've done that but I seem to recall it was "as advertized", a preview of the actual report showing everything including whatever munging was in place.

There is a strong body of opinion which holds that it is ultimately pointless trying to avoid having your address as a SC reporter being known to the spammers (because there are so many ways to identify the reporter). A major factor in all of this is that most spam is mass-produced through botnets by "operators" who don't care whether you read or report their "offerings" or not. That's immaterial to their "business plan". The exceptions are probably reacting to reporters and the most likely reaction is to take your address(es) off their lists. The days of spammer "retribution" are fairly much thought to be over (volume/"productivity" has increased many orders of magnitude, there's just no time for them to get "personal" unless you really go out of your way to make it so).

Undeniably some organizations will happily sell your address on, once it is apparent you are "receptive". I don't think anyone could guess how much extra (address retailed) versus how much less (address removed) would be in the final result.

HTH

Link to comment
Share on other sites
Miss Betsy T-shirt wearing out

Miss Betsy

Posted
Posted
So are the spammers more likely to see me as a threat because I report or a target becuase I read their stuff?

No, as a threat. There are too many reporters to do more than 'listwash'. ?? as a target - what's the rule about 'stupid'? or maybe just rude.

Miss Betsy

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...