<<< Date Index >>>     <<< Thread Index >>>

spamcop.net allows everyone to grab mail addresses and reset passwords



Hi,

spamcop.net is service for tracking Spammers. It offers free and paid
subscription services and ISP people responsible for various mail
domains can register with spamcop to be informed when spam is
originating from a local mail address.

The spamcop.net service offers an account management page on their
web site where you can reset the password. This page is reached via

http://www.spamcop.net/w3m?action=ispaccountform&ispid=<xxx>

where <xxx> is a random number between 1 and roughly 1.6 million. This
number determines which account is selected. After doing so, everyone
can reset the password and the account mail address is displayed.

Impact: 1) Everyone can reset any spamcop password for a subscribed
        user. While the user gets his new password mailed, these mails
        might be simply ignored (especially in these phishing days
        where everyone gets a zillion passwords mailed each day.

        This allows a large DoS against spamcop and its user base.

        2) By writing a simple loop, a spammer can pull all the
        registered (and probably read) mail addresses from spamcop.net,
        turning spamcop into a large "valid addresses for free" site.

Spamcop.net has been informed (info@xxxxxxxxxxx, abuse@xxxxxxxxxxx,
postmaster@xxxxxxxxxxxx) on Jul 27th. No reaction yet. 

        Regards
                Henning


-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen          INTERMETA GmbH
hps@xxxxxxxxxxxx        +49 9131 50 654 0   http://www.intermeta.de/
 
RedHat Certified Engineer -- Jakarta Turbine Development  -- hero for hire
   Linux, Java, perl, Solaris -- Consulting, Training, Development

"Fighting for one's political stand is an honorable action, but re-
 fusing to acknowledge that there might be weaknesses in one's
 position - in order to identify them so that they can be remedied -
 is a large enough problem with the Open Source movement that it
 deserves to be on this list of the top five problems."
                       --Michelle Levesque, "Fundamental Issues with
                                    Open Source Software Development"