[20923] in bugtraq
RE: SECURITY.NNOV: Outlook Express address book spoofing
daemon@ATHENA.MIT.EDU (Otto.Dandenell@iconmedialab.com.sg)
Fri Jun 8 14:48:13 2001
Message-ID: <B13DE87AF63F8B44A11E3100917921825F94FF@exchsrv1.sin.iconmedialab.com>
From: Otto.Dandenell@iconmedialab.com.sg
To: bugtraq@securityfocus.com
Cc: dankamin@cisco.com
Date: Fri, 8 Jun 2001 10:59:44 +0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Dan Kaminsky wrote:
> A couple people have questioned why not just reject all "true
> names" that
> contain an @ sign. For better or worse, having an @ in your
> name is not
> necessarily a sign of illegitimacy
<snip>
> Perhaps a "true name" filter along the lines of *@*.TLD? I
> think that's
> pretty much what the user is interpreting as a differentiator
> between real
> names and email addresses.
One simple method of adding security in this case would be to pop up a
security alert when there is an attempt to add an address book entry where
the real name portion is de facto an RFC compliant mail address. The user
then can decide if he wants to allow the entry.
As an added security, a similar alert can be shown when this type of entry
is used for address expansion in an outgoing mail. The user could get the
option to
1) reject the expansion
2) reject the expansion and remove the entry from the address book
3) reject the expansion and edit the entry in the address book
4) allow the expansion this one time
5) allow the expansion and not be shown any more alerts for this address
This would combine good security and usabuility at the same time.
/ Otto Dandenell
