Bugtraq mailing list archives
Re: SECURITY.NNOV: Outlook Express address book spoofing
From: Peter W <peterw () usa net>
Date: Wed, 6 Jun 2001 00:39:04 -0400
On Tue, Jun 05, 2001 at 12:59:03PM -0700, Dan Kaminsky wrote:
An immediate design fix would be to use a different coloring and fontfacing scheme to refer to full names, rather than quoted email addresses from the address book. This should self-document decently, since over the course of sending a number of mails users should learn to associate one character type with one form of name and the other with the other. Then, when the attack hits, people see things "backwards" and some method of investigation can be made available.
Nice idea. Novell Groupwise has similar problems with displaying the address book "name" instead of the address (though Groupwise is *not* vulnerable to the same attack that forces the spoofed entry into the address book). It would be nice if these email systems would always display both the name and the address. Perhaps use both different colors, and the familiar <> construct, e.g. "myfriend () good example org <attacker () evil example net>" the way other packages like Netscape Messenger, Mozilla Mail, Pine, and Mutt do. -Peter
Current thread:
- SECURITY.NNOV: Outlook Express address book spoofing 3APA3A (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Peter W (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 07)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Kee Hinckley (Jun 08)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Peter W (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 05)
- <Possible follow-ups>
- RE: SECURITY.NNOV: Outlook Express address book spoofing Otto . Dandenell (Jun 08)
- RE: SECURITY.NNOV: Outlook Express address book spoofing David F. Skoll (Jun 10)
- RE: SECURITY.NNOV: Outlook Express address book spoofing Matt Priestley (Jun 12)