by josh » Sat Dec 23, 2006 7:58 pm
Wait a minute -- who's spamcop? No doubt a bunch of spammers in disguise, pretending to be cops -- just kidding -- there was a bit of sting for me reading those first few posts after six+ long years of this.
starting to get it -- the problem is that the redirection addresses are showing up in the headers as displayed in the spamcop report? As you know, having a redirection address allows you to send mail to the original address and easily make it look as if it came from the disposable address - it sort of does reveal the disposable address, but you really have to think about it before you can see it. Maybe munging these addresses automatically would require new feature to be implemented at spamcop.
I guess the other risk is that a viewer of the headers would see the redirection address and think the sender was someone at spamgourmet.com, and jump to conclusions and think we're spammers? Maybe. The original sender address will still be in there, though. We've taken enough false accusations over the years that I'm almost numb to them (*almost*).
As for modifying the headers, you probably know that spamgourmet adds to the subject, and modifies the *addresses* if reply address masking is on, but really doesn't do anything else. Passing through spamgourmet builds a part of the headers, like any other mail server hop would, and we add an X- header, but that's normal.
An interesting hypothetical question to ask regarding whether it was permissible to remove post-spamgourmet header entries would be the situation where you have a border email server that you control, as well as an internal email server -- both leave headers, as they should, but does spamcop require that you supply the internal server headers if you report from inside? Seeing as how you could also report from the border server before the internal headers are added, what's the difference if you remove the internal headers afterward? I'm not familiar enough with spamcop to answer that question. And yes, you don't really control spamgourmet, but you sort of do.
Spamcop *is* good about not picking up and listing the spamgourmet server -- wish I could say the same about other reporting services.
Sorry for not jumping over there yet -- I don't think I have an account, I don't know spamcop very well, and I'm maybe still not 100% on the issues.