[20944] in bugtraq
RE: SECURITY.NNOV: Outlook Express address book spoofing
daemon@ATHENA.MIT.EDU (David F. Skoll)
Sun Jun 10 17:57:34 2001
Date: Fri, 8 Jun 2001 14:59:52 -0400 (EDT)
From: "David F. Skoll" <dfs@roaringpenguin.com>
To: <Otto.Dandenell@iconmedialab.com.sg>
Cc: <bugtraq@securityfocus.com>
In-Reply-To: <B13DE87AF63F8B44A11E3100917921825F94FF@exchsrv1.sin.iconmedialab.com>
Message-ID: <Pine.LNX.4.30.0106081453140.1240-100000@shishi.roaringpenguin.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Fri, 8 Jun 2001 Otto.Dandenell@iconmedialab.com.sg wrote:
> One simple method of adding security in this case would be to pop up a
> security alert when there is an attempt to add an address book entry where
> the real name portion is de facto an RFC compliant mail address. The user
> then can decide if he wants to allow the entry.
There are two problems with this:
1) I do not believe pop-ups are effective. The entire Windows security
model is built on "warn-and-nag", and one more box will just annoy users
who will unthinkingly hit "OK".
2) I bet I could craft e-mail addresses which are not RFC-compliant,
but which almost every MTA will deliver anyway. For example:
dfs@roaringpenguin.com.
is not RFC-compliant (note the trailing dot), but Sendmail happily
delivers it. "Be liberal in what you accept" turns out to bite you.
I still maintain that very few legitimate full names have an "@" sign
in them, so those should be filtered out, no questions asked. In
12 years on the Internet, I've never received mail from someone with an
"@" in his/her full name.
--
David.
