Bugtraq mailing list archives
RE: SECURITY.NNOV: Outlook Express address book spoofing
From: "David F. Skoll" <dfs () roaringpenguin com>
Date: Fri, 8 Jun 2001 14:59:52 -0400 (EDT)
On Fri, 8 Jun 2001 Otto.Dandenell () iconmedialab com sg wrote:
One simple method of adding security in this case would be to pop up a security alert when there is an attempt to add an address book entry where the real name portion is de facto an RFC compliant mail address. The user then can decide if he wants to allow the entry.
There are two problems with this: 1) I do not believe pop-ups are effective. The entire Windows security model is built on "warn-and-nag", and one more box will just annoy users who will unthinkingly hit "OK". 2) I bet I could craft e-mail addresses which are not RFC-compliant, but which almost every MTA will deliver anyway. For example: dfs () roaringpenguin com. is not RFC-compliant (note the trailing dot), but Sendmail happily delivers it. "Be liberal in what you accept" turns out to bite you. I still maintain that very few legitimate full names have an "@" sign in them, so those should be filtered out, no questions asked. In 12 years on the Internet, I've never received mail from someone with an "@" in his/her full name. -- David.
Current thread:
- SECURITY.NNOV: Outlook Express address book spoofing 3APA3A (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Peter W (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 07)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Kee Hinckley (Jun 08)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Peter W (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 05)
- <Possible follow-ups>
- RE: SECURITY.NNOV: Outlook Express address book spoofing Otto . Dandenell (Jun 08)
- RE: SECURITY.NNOV: Outlook Express address book spoofing David F. Skoll (Jun 10)
- RE: SECURITY.NNOV: Outlook Express address book spoofing Matt Priestley (Jun 12)