[SC-Help] Re: SpamCop leaking addresses

[Mike Easter]

Phil Calvert wrote:
> I noticed that SpamCop sometimes doesn't obscure email addresses even
> though it is configured to do so.  Below is a tracking link for a
> spam analysis which shows this behavior.  Even though the email
> addresses have already been compromised (they're already on spammers'
> lists), I munged the domain information before parsing the email.
>
www.spamcop.net/sc?id=z734341326z5c732e4b3425ccaa5a5a79d3ffd7fa71z

There is a concept here which is worth considering.  I don't have the
answers to all of the questions which can be spun off from the concept,
but the concept is important to keep in mind.  The subject is mungeing
by a notifier to an abuse desk.

 - no mungeing manually emailed from the spammed address
 - spamcop notification with no SC mungeing
 - SC notification with standard SC mungeing
 - SC notify with minor additonal pre-parse mungeing
 - SC notify with major additonal pre-parse mungeing, ie 'ubermungeing'
 - mole reporting

The problem is in distinguishing between classes 4 & 5 and also with the
fact that unique identification can be contained 'invisibly' and not
successfully munged with the most intense ubermungeing.  The problem is
also what is permissible and what is not.  Somewhere about the level of
4 to 5 is where the permissibility ends and the reporter should shift to
mole reporting.

A clever spammer who wants to identify the recipient of a reported spam
will 'expose' some obvious identification and conceal the secret
identification.

Header mungeing up there in the Received tracelines from and by fields
is pretty much ubermungeing.

-- 
Mike Easter
kibitzer, not SC admin