RE: Verifying E-Mail Addresses

["Isaac Van Name" <ivanname () southerlandsleep com>]

Actually, that's a very good point, and one that I missed myself when
replying to this thread.  You can't check your email without internet
access... duh.  :-)  I'm a bit daft sometimes... bear with me.

Another approach might be to disallow email addresses that are of the "free
and anonymous" nature like Yahoo, Hotmail, Gmail, etc. and require an email
address that is actually tied to some type of verifiable personal
information.  The chess server I play on does this, believe it or not...
they require a "real" email address to create an account.  By "real", it
could be a person's work email, their AO_Hell account, etc.  ... Of course,
this wouldn't really work if the person worked at Yahoo... :-)

Or you could try catching the MAC address when the person connects
successfully and track their activity.  Of course, anyone that's smart
enough to do anything REALLY bad is going to know how to change their MAC
address.  Hopefully, your IDS would pick up the activity and alert you in
time for something to be done.

Really, all it boils down to is what I saw someone else say, and I'm going
to have to agree:  Maybe the question should be why your company wants/needs
such a resource, instead of how to secure it.  If your company doesn't need
that resource, then you're looking at investing a lot of time and work for
nothing.

I would like to see more ideas on how this could be secured, though it seems
impractical.  This is turning into an interesting thread.


Isaac Van Name
Systems Administrator

"What good would you do with an ignorant employee? Ignorance is grounds for
dismissal..." - Mario Spinthiras
 
Open Source developing at its finest:
"Written in vim, W3C valid and UTF-8 encoded, for her pleasure."
 
Disclaimer:  This email is intended only to be used to feign intellectual
mastery of a subject or superhuman command of the English language, when
profanity is involved.  By reading this email, you are agreeing to cease all
correspondence with the sender upon realizing your own ignorance, and
furthermore to refrain from taking legal action against said sender when
your compounding ignorance crushes your inadequate self-esteem.  Have a nice
day.

Original> -----Original Message-----
Original> From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
Original> On Behalf Of Jeffrey F. Bloss
Original> Sent: Tuesday, November 14, 2006 1:58 PM
Original> To: security-basics () securityfocus com
Original> Subject: Re: Verifying E-Mail Addresses
Original> 
Original> Will Yonker wrote:
Original> 
Original> > >> I do recognize that somebody can enter a valid e-mail address
that
Original> > >> does not belong to them, but we are trying to address one
issue at
Original> > >> a time. At this point we are just trying to prevent people
who
Original> > >> give us "dude () dude com" from getting on to our network.
Original> >
Original> > I agree, you really should require a working email address that
they
Original> > have access to.  I would say your best bet would be to use the
same
Original> > sort of verification that most email lists use.  You could
easily
Original> > automate the whole thing.  It could go something like this:
Original> >
Original> > The user turns on his PC and you assign him all the right DHCP
info.
Original> > He then opens his browser and is directed to your login page.
Original> > He then has to enter his email address if he needs to create an
Original> > account. Then you send him an email with the password.
Original> 
Original> <snippage>
Original> 
Original> Unless you've already granted at least some level of the access
you're
Original> trying to control, how would the potential user receive the email?
:)
Original> 
Original> Wasn't this scenario basically a municipal/public access point
trying
Original> to at least in some way validate prospective users? Unless this is
Original> implemented as a subscription service where the user can "go home
and
Original> get the password" when it's issued, it won't easily work.
Original> 
Original> You can't send it to them via the web interface or any other
webmail, or
Original> you've pretty much eviscerated the whole process. If you let them
have
Original> limited access to certain resources so they can get their
Original> "challenge/response" email from an account outside your control
you're
Original> not only dealing with the nightmare of managing that resource, but
Original> opening yourself up to an easy circumvention of all your hard work
by
Original> people using disposable email accounts like Pookmail, Jetable,
Original> Spamgourmet, some "bot" machine in New Jersey, their Siberian
hacker
Original> friend's private server on a roving DynDNS enabled box that's
hooked up
Original> to some flaky cafe WiFi just for today, etc...
Original> 
Original> --
Original> Hand crafted on 14 November, 2006 at 14:53:23 EST using
Original> only the finest domestic and imported ASCII.
Original> 
Original> Abandon the search for truth; settle for a good fantasy.



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------