Home page logo

bugtraq logo Bugtraq mailing list archives

Re: SECURITY.NNOV: Outlook Express address book spoofing
From: Peter W <peterw () usa net>
Date: Wed, 6 Jun 2001 00:39:04 -0400

On Tue, Jun 05, 2001 at 12:59:03PM -0700, Dan Kaminsky wrote:

An immediate design fix would be to use a different coloring and fontfacing
scheme to refer to full names, rather than quoted email addresses from the
address book.  This should self-document decently, since over the course of
sending a number of mails users should learn to associate one character type
with one form of name and the other with the other.  Then, when the attack
hits, people see things "backwards" and some method of investigation can be
made available.

Nice idea.

Novell Groupwise has similar problems with displaying the address book
"name" instead of the address (though Groupwise is *not* vulnerable to the
same attack that forces the spoofed entry into the address book). It would
be nice if these email systems would always display both the name and the
address. Perhaps use both different colors, and the familiar <> construct,
e.g. "myfriend () good example org <attacker () evil example net>" the way
other packages like Netscape Messenger, Mozilla Mail, Pine, and Mutt do.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]