COMMAND

    SpamCop

SYSTEMS AFFECTED

    SpamCop

PROBLEM

    David  F.  Skoll  found  following.   SpamCop  has a service which
    operates as follows:

        1) You get an account (joeuser@spamcop.net)
        2) If  someone (spammer@baddomain.com)  sends you  e-mail, and
           the sender's e-mail address is not in your "known" profile,
           the e-mail  is held  on the  SpamCop system,  and a message
           sent to the originator.  This message contains a URL  which
           the originator must access.  Accessing this URL verifies to
           SpamCop that the sender address is a valid e-mail  address.
           SpamCop then "releases"  the mail and  marks the sender  as
           "known" to joeuser@spamcop.net

    Unfortunately,  the  URL  generated  in  step (2) contains a fixed
    prefix followed  by an  incrementing sequence  number.   A spammer
    therefore  needs  to  send  one  innocuous  e-mail (to a friend at
    spamcop.net?)  from  a  real  e-mail  address  to  get the initial
    sequence number.  He then spams everyone at spamcop.net while  his
    shell script  calls "lynx"  with repeatedly-incrementing  sequence
    numbers.

SOLUTION

    Spamcop  now  uses  an  MD5  hash  of  a  secret combined with the
    sequence number  (emailid) to  create a  unique, cryptographically
    challenging CRC  which must  be supplied  in conjunction  with the
    original ID number.

    Old "release URL":

        http://spamcop.net/release?i=4545096

    New "release URL":

        http://spamcop.net/release?i=zf14f97b165461b0128332e50556a24bez4545096

    This system  is still  not as  secure as  it would  seem at first,
    since  the  secret  used  in  the  hash  is always the same.  This
    provides a wider base for a brute-force attack.