Re: Verifying E-Mail Addresses

[tommie <tommie () techTHEORY net>]

How do they get access to their email if they don't already have the
password? a chicken and egg scenario.

Is this a public wi-fi network or private? If it is private, setup a
login/passwd system for users prior to them connecting. If it's public
(like anon FTP), you are going to get dude () dude com all day.

TP

Will Yonker wrote:

> <quote who="Jason Muskat, GCFA, GCUX, de VE3TSJ">
>  
>
> > Hello,
> >
> > The security issue would be if one could verify 3rd party email addresses.
> > An organization being lazy and cheap wanting not to verify users before
> > granting them access is questionable organization decision, not a security
> > issue.
> >    
> >
> > > From: Mister Dookie <misterdookie () gmail com>
> > > Is there a way to verify that an e-mail address
> > > (e.g."johnsmith () company com") is valid and exists or does not exist
> > > (is a fake e-mail address) without actually sending a message to that
> > > address and awaiting the response?
> > >
> > > Here's why this is a security issue. Our company administers a small
> > > "municipal-type" 802.11 network where for limited open-access the only
> > > form of ID we require is an e-mail address and a password. We simple
> > > don't have the resources to send out e-mails and then have
> > > verification and so forth. We are trying to prevent users from
> > > entering fake addresses into our system. We want at least a small
> > > amount of accountability.
> > >
> > > We would like to be able to do a quick check, say query an IMAP, POP3,
> > > or SMTP and check to see if there is actually an account at that
> > > address without sending a verification e-mail and waiting for users to
> > > click on a link or get something that bounces back. Does something
> > > like that exist?
> > >
> > > I do recognize that somebody can enter a valid e-mail address that
> > > does not belong to them, but we are trying to address one issue at a
> > > time. At this point we are just trying to prevent people who give us
> > > "dude () dude com" from getting on to our network.
> > >      
>
> I agree, you really should require a working email address that they have
> access to.  I would say your best bet would be to use the same sort of
> verification that most email lists use.  You could easily automate the
> whole thing.  It could go something like this:
>
> The user turns on his PC and you assign him all the right DHCP info.
> He then opens his browser and is directed to your login page.
> He then has to enter his email address if he needs to create an account.
> Then you send him an email with the password.
> Once he enters the password, he is granted access to the proxy (which
> connects to the internet).
>
> All quite simple to setup I think.  I haven't tried to automatically
> create squid accounts but I'm guessing that would be trivial.  You could
> rip the code from majordomo if there isn't already a package out there to
> do just this.
>
> The advantage here is, you can do all kinds of access control in the
> proxy.  You could even add something like dansguardian for content
> filtering.
>
> Anyway, enough of my rambling.
>
>
>
>
>  

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------