Hi, spamcop.net is service for tracking Spammers. It offers free and paid subscription services and ISP people responsible for various mail domains can register with spamcop to be informed when spam is originating from a local mail address. The spamcop.net service offers an account management page on their web site where you can reset the password. This page is reached via http://www.spamcop.net/w3m?action=ispaccountform&ispid=<xxx> where <xxx> is a random number between 1 and roughly 1.6 million. This number determines which account is selected. After doing so, everyone can reset the password and the account mail address is displayed. Impact: 1) Everyone can reset any spamcop password for a subscribed user. While the user gets his new password mailed, these mails might be simply ignored (especially in these phishing days where everyone gets a zillion passwords mailed each day. This allows a large DoS against spamcop and its user base. 2) By writing a simple loop, a spammer can pull all the registered (and probably read) mail addresses from spamcop.net, turning spamcop into a large "valid addresses for free" site. Spamcop.net has been informed (info@xxxxxxxxxxx, abuse@xxxxxxxxxxx, postmaster@xxxxxxxxxxxx) on Jul 27th. No reaction yet. Regards Henning -- Dipl.-Inf. (Univ.) Henning P. Schmiedehausen INTERMETA GmbH hps@xxxxxxxxxxxx +49 9131 50 654 0 http://www.intermeta.de/ RedHat Certified Engineer -- Jakarta Turbine Development -- hero for hire Linux, Java, perl, Solaris -- Consulting, Training, Development "Fighting for one's political stand is an honorable action, but re- fusing to acknowledge that there might be weaknesses in one's position - in order to identify them so that they can be remedied - is a large enough problem with the Open Source movement that it deserves to be on this list of the top five problems." --Michelle Levesque, "Fundamental Issues with Open Source Software Development"
