spamcop.net is service for tracking Spammers. It offers free and paid subscription services and ISP people responsible for various mail domains can register with spamcop to be informed when spam is originating from a local mail address.
The spamcop.net service offers an account management page on their web site where you can reset the password. This page is reached via
where <xxx> is a random number between 1 and roughly 1.6 million. This number determines which account is selected. After doing so, everyone can reset the password and the account mail address is displayed.
Impact: 1) Everyone can reset any spamcop password for a subscribed user. While the user gets his new password mailed, these mails might be simply ignored (especially in these phishing days where everyone gets a zillion passwords mailed each day.
This allows a large DoS against spamcop and its user base.
2) By writing a simple loop, a spammer can pull all the registered (and probably read) mail addresses from spamcop.net, turning spamcop into a large "valid addresses for free" site.
Spamcop.net has been informed (info_at_spamcop.net, abuse_at_spamcop.net, postmaster_at_spamcomp.net) on Jul 27th. No reaction yet.
