Re: SECURITY.NNOV: Outlook Express address book spoofing

[Peter W <peterw () usa net>]

On Tue, Jun 05, 2001 at 12:59:03PM -0700, Dan Kaminsky wrote:

> An immediate design fix would be to use a different coloring and fontfacing
> scheme to refer to full names, rather than quoted email addresses from the
> address book.  This should self-document decently, since over the course of
> sending a number of mails users should learn to associate one character type
> with one form of name and the other with the other.  Then, when the attack
> hits, people see things "backwards" and some method of investigation can be
> made available.

Nice idea.

Novell Groupwise has similar problems with displaying the address book
"name" instead of the address (though Groupwise is *not* vulnerable to the
same attack that forces the spoofed entry into the address book). It would
be nice if these email systems would always display both the name and the
address. Perhaps use both different colors, and the familiar <> construct,
e.g. "myfriend () good example org <attacker () evil example net>" the way
other packages like Netscape Messenger, Mozilla Mail, Pine, and Mutt do.

-Peter