Jump to content

[Resolved] Privacy problem when sending using SC webmail


Recommended Posts

I just encountered what I consider to be a major flaw/problem with the webmail system. Those of you with SC email accounts are probably aware that you can define multiple "identities" in your Options and can then send mail "From" any of those alternate identities using the webmail system. For those of us who don't give out our actual SpamCop addresses, we can still send from the webmail system, but have it look as if it's coming from one of our other third-party email addresses. It didn't occur to me, however, that our actual SC addresses are being put in the outgoing email headers on those messages....they are.

Our true addresses are being embedded in the first "Received" line, as follows:

Received: from name.of.connection.to.web.server

(name.of.connection.to.web.server [IP# of connection]) by

webmail.spamcop.net (Horde) with HTTP for

<mytrueaddress[at]spamcop.net[at]cesmail.net>; Sat, 03 Mar 2007 15:01:59 -0700

(I've put the munged variables in green, for clarity, and the "spamcop.net" can be either that or "cesmail.net" or "cqmail.net" depending upon which SC email domain hosts your address. Also the forum software substituted "[at]" for the "[at]" before cesmail.net)

Even though the address is somewhat mangled in that there's an additional "[at]cesmail.net" appended, it's still going out in headers and I don't think that's good or necessary. The potential problem is that our address is being revealed without our consent or control and is then subject to the potential problems found on all of the other machines/networks that receive the messages we send (botnets, harvesting/spamming worms, etc.).

No wonder I now receive spams directly at my spamcop.net address! I thought it was due to some other security breech, but it's probably due to the messages I've sent out using webmail. I haven't found mention of this anywhere else yet, so if anyone can find such mention, I'd be interested. I don't think this should be happening. I think that we need to ask JT to alter the mail server so that it doesn't add our actual addresses to the Received headers.

DT

Link to comment
Share on other sites

My SC Email address is out in the world already but it could be a problem for others I guess.

I've always equated putting my SC address "out there" to be a bit like *daring* people to spam me. I've chosen to keep it private, but SpamCop's webmail system has taken that away from me, and I'm pretty frustrated. I think I might cross-post this over in the "mail" Usenet group and see if anyone cares....I hear mostly crickets chirping around here (except for you, Andrew). :blink:

DT

Link to comment
Share on other sites

Some time in the past, maybe a couple of times, I checked to see if the 'real' address was revealed in headers when sending as a different account via the web mail. And I thought it did not. So either something has changed or I did check throughly. But I always use 'find' to check for such strings, so I don't think its something I would have missed.

Anyway I'd been treating mail sent from the web mail as bullet proof re my real address, so I appreciate the heads up that it's not. :(

Just now I checked to see if the same thing happens when sending via the SC SMTP server, and it does not. So I'll certainly stick with that.

Link to comment
Share on other sites

  • 1 year later...

I'd like to bring this back into discussion.... I've found that 90% of my spam is going to my cesmail account and since I don't ever send from that account, I can only assume that it's being harvested off reports that I queue and report from the reporting site (rather than 'report as spam' from email). ...

Not to be picky but address harvesting from spamcop reports was not the topic of this discussion.

[edit That post has been moved, pointer (in quote) has updated to new topic]

The topic refers to sending regular email from spamcop webmail. When selecting a alternate account as the 'sending' address, the user's spamcop address would be revealed in the message headers. See OP.

FYI, I just did a quick test and it appears this is no longer the case. :)

Can anyone confirm? DavidT?

Link to comment
Share on other sites

Not to be picky but address harvesting from spamcop reports was not the topic of this discussion.

It sure wasn't....talk about hijacking a thread....hey, Wazoo...please see if you can split off those recent off-topic posts into some other thread having to do with the new topic that crept in here.

[edit - those posts moved to http://forum.spamcop.net/forums/index.php?showtopic=9333]

The topic refers to sending regular email from spamcop webmail. When selecting a alternate account as the 'sending' address, the user's spamcop address would be revealed in the message headers.

Yes, that was it, exactly.

FYI, I just did a quick test and it appears this is no longer the case. :)

Can anyone confirm? DavidT?

Sure can...it's been fixed...case closed. :-)

DT

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...