Home page logo

bugtraq logo Bugtraq mailing list archives

RE: SECURITY.NNOV: Outlook Express address book spoofing
From: Otto.Dandenell () iconmedialab com sg
Date: Fri, 8 Jun 2001 10:59:44 +0800

Dan Kaminsky wrote:

A couple people have questioned why not just reject all "true 
names" that
contain an @ sign.  For better or worse, having an @ in your 
name is not
necessarily a sign of illegitimacy


Perhaps a "true name" filter along the lines of * () * TLD?  I 
think that's
pretty much what the user is interpreting as a differentiator 
between real
names and email addresses.

One simple method of adding security in this case would be to pop up a
security alert when there is an attempt to add an address book entry where
the real name portion is de facto an RFC compliant mail address. The user
then can decide if he wants to allow the entry.

As an added security, a similar alert can be shown when this type of entry
is used for address expansion in an outgoing mail. The user could get the
option to 
1) reject the expansion
2) reject the expansion and remove the entry from the address book
3) reject the expansion and edit the entry in the address book
4) allow the expansion this one time
5) allow the expansion and not be shown any more alerts for this address

This would combine good security and usabuility at the same time.

/ Otto Dandenell

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]