Home page logo

bugtraq logo Bugtraq mailing list archives

RE: SECURITY.NNOV: Outlook Express address book spoofing
From: "David F. Skoll" <dfs () roaringpenguin com>
Date: Fri, 8 Jun 2001 14:59:52 -0400 (EDT)

On Fri, 8 Jun 2001 Otto.Dandenell () iconmedialab com sg wrote:

One simple method of adding security in this case would be to pop up a
security alert when there is an attempt to add an address book entry where
the real name portion is de facto an RFC compliant mail address. The user
then can decide if he wants to allow the entry.

There are two problems with this:

1) I do not believe pop-ups are effective.  The entire Windows security
model is built on "warn-and-nag", and one more box will just annoy users
who will unthinkingly hit "OK".

2) I bet I could craft e-mail addresses which are not RFC-compliant,
but which almost every MTA will deliver anyway.  For example:

        dfs () roaringpenguin com 

is not RFC-compliant (note the trailing dot), but Sendmail happily
delivers it.  "Be liberal in what you accept" turns out to bite you.

I still maintain that very few legitimate full names have an "@" sign
in them, so those should be filtered out, no questions asked.  In
12 years on the Internet, I've never received mail from someone with an
"@" in his/her full name.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]