[20888] in bugtraq
Re: SECURITY.NNOV: Outlook Express address book spoofing
daemon@ATHENA.MIT.EDU (Peter W)
Wed Jun 6 02:13:04 2001
Date: Wed, 6 Jun 2001 00:39:04 -0400
From: Peter W <peterw@usa.net>
To: Dan Kaminsky <dankamin@cisco.com>
Cc: 3APA3A <3APA3A@SECURITY.NNOV.RU>, bugtraq@securityfocus.com
Message-ID: <20010606003903.F5700@usa.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <015f01c0edf9$f93f03b0$8256d281@na.cisco.com>; from dankamin@cisco.com on Tue, Jun 05, 2001 at 12:59:03PM -0700
On Tue, Jun 05, 2001 at 12:59:03PM -0700, Dan Kaminsky wrote:
> An immediate design fix would be to use a different coloring and fontfacing
> scheme to refer to full names, rather than quoted email addresses from the
> address book. This should self-document decently, since over the course of
> sending a number of mails users should learn to associate one character type
> with one form of name and the other with the other. Then, when the attack
> hits, people see things "backwards" and some method of investigation can be
> made available.
Nice idea.
Novell Groupwise has similar problems with displaying the address book
"name" instead of the address (though Groupwise is *not* vulnerable to the
same attack that forces the spoofed entry into the address book). It would
be nice if these email systems would always display both the name and the
address. Perhaps use both different colors, and the familiar <> construct,
e.g. "myfriend@good.example.org <attacker@evil.example.net>" the way
other packages like Netscape Messenger, Mozilla Mail, Pine, and Mutt do.
-Peter
