DavidT Posted March 3, 2007 Share Posted March 3, 2007 I just encountered what I consider to be a major flaw/problem with the webmail system. Those of you with SC email accounts are probably aware that you can define multiple "identities" in your Options and can then send mail "From" any of those alternate identities using the webmail system. For those of us who don't give out our actual SpamCop addresses, we can still send from the webmail system, but have it look as if it's coming from one of our other third-party email addresses. It didn't occur to me, however, that our actual SC addresses are being put in the outgoing email headers on those messages....they are. Our true addresses are being embedded in the first "Received" line, as follows: Received: from name.of.connection.to.web.server (name.of.connection.to.web.server [IP# of connection]) by webmail.spamcop.net (Horde) with HTTP for <mytrueaddress[at]spamcop.net[at]cesmail.net>; Sat, 03 Mar 2007 15:01:59 -0700 (I've put the munged variables in green, for clarity, and the "spamcop.net" can be either that or "cesmail.net" or "cqmail.net" depending upon which SC email domain hosts your address. Also the forum software substituted "[at]" for the "[at]" before cesmail.net) Even though the address is somewhat mangled in that there's an additional "[at]cesmail.net" appended, it's still going out in headers and I don't think that's good or necessary. The potential problem is that our address is being revealed without our consent or control and is then subject to the potential problems found on all of the other machines/networks that receive the messages we send (botnets, harvesting/spamming worms, etc.). No wonder I now receive spams directly at my spamcop.net address! I thought it was due to some other security breech, but it's probably due to the messages I've sent out using webmail. I haven't found mention of this anywhere else yet, so if anyone can find such mention, I'd be interested. I don't think this should be happening. I think that we need to ask JT to alter the mail server so that it doesn't add our actual addresses to the Received headers. DT Link to comment Share on other sites More sharing options...
agsteele Posted March 4, 2007 Share Posted March 4, 2007 Thanks for the heads up DT. As it happens the issue doesn't trouble me. My SC Email address is out in the world already but it could be a problem for others I guess. Andrew Link to comment Share on other sites More sharing options...
DavidT Posted March 4, 2007 Author Share Posted March 4, 2007 My SC Email address is out in the world already but it could be a problem for others I guess. I've always equated putting my SC address "out there" to be a bit like *daring* people to spam me. I've chosen to keep it private, but SpamCop's webmail system has taken that away from me, and I'm pretty frustrated. I think I might cross-post this over in the "mail" Usenet group and see if anyone cares....I hear mostly crickets chirping around here (except for you, Andrew). DT Link to comment Share on other sites More sharing options...
silentlarry Posted March 5, 2007 Share Posted March 5, 2007 Some time in the past, maybe a couple of times, I checked to see if the 'real' address was revealed in headers when sending as a different account via the web mail. And I thought it did not. So either something has changed or I did check throughly. But I always use 'find' to check for such strings, so I don't think its something I would have missed. Anyway I'd been treating mail sent from the web mail as bullet proof re my real address, so I appreciate the heads up that it's not. Just now I checked to see if the same thing happens when sending via the SC SMTP server, and it does not. So I'll certainly stick with that. Link to comment Share on other sites More sharing options...
silentlarry Posted April 10, 2008 Share Posted April 10, 2008 I'd like to bring this back into discussion.... I've found that 90% of my spam is going to my cesmail account and since I don't ever send from that account, I can only assume that it's being harvested off reports that I queue and report from the reporting site (rather than 'report as spam' from email). ... Not to be picky but address harvesting from spamcop reports was not the topic of this discussion. [edit That post has been moved, pointer (in quote) has updated to new topic] The topic refers to sending regular email from spamcop webmail. When selecting a alternate account as the 'sending' address, the user's spamcop address would be revealed in the message headers. See OP. FYI, I just did a quick test and it appears this is no longer the case. Can anyone confirm? DavidT? Link to comment Share on other sites More sharing options...
DavidT Posted April 11, 2008 Author Share Posted April 11, 2008 Not to be picky but address harvesting from spamcop reports was not the topic of this discussion. It sure wasn't....talk about hijacking a thread....hey, Wazoo...please see if you can split off those recent off-topic posts into some other thread having to do with the new topic that crept in here. [edit - those posts moved to http://forum.spamcop.net/forums/index.php?showtopic=9333] The topic refers to sending regular email from spamcop webmail. When selecting a alternate account as the 'sending' address, the user's spamcop address would be revealed in the message headers. Yes, that was it, exactly. FYI, I just did a quick test and it appears this is no longer the case. Can anyone confirm? DavidT? Sure can...it's been fixed...case closed. :-) DT Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.