Bugtraq mailing list archives
RE: SECURITY.NNOV: Outlook Express address book spoofing
From: Otto.Dandenell () iconmedialab com sg
Date: Fri, 8 Jun 2001 10:59:44 +0800
Dan Kaminsky wrote:
A couple people have questioned why not just reject all "true names" that contain an @ sign. For better or worse, having an @ in your name is not necessarily a sign of illegitimacy
<snip>
Perhaps a "true name" filter along the lines of *@*.TLD? I think that's pretty much what the user is interpreting as a differentiator between real names and email addresses.
One simple method of adding security in this case would be to pop up a security alert when there is an attempt to add an address book entry where the real name portion is de facto an RFC compliant mail address. The user then can decide if he wants to allow the entry. As an added security, a similar alert can be shown when this type of entry is used for address expansion in an outgoing mail. The user could get the option to 1) reject the expansion 2) reject the expansion and remove the entry from the address book 3) reject the expansion and edit the entry in the address book 4) allow the expansion this one time 5) allow the expansion and not be shown any more alerts for this address This would combine good security and usabuility at the same time. / Otto Dandenell
Current thread:
- SECURITY.NNOV: Outlook Express address book spoofing 3APA3A (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Peter W (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 07)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Kee Hinckley (Jun 08)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Peter W (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 05)
- <Possible follow-ups>
- RE: SECURITY.NNOV: Outlook Express address book spoofing Otto . Dandenell (Jun 08)
- RE: SECURITY.NNOV: Outlook Express address book spoofing David F. Skoll (Jun 10)
- RE: SECURITY.NNOV: Outlook Express address book spoofing Matt Priestley (Jun 12)