Security Basics mailing list archives
Re: Verifying E-Mail Addresses
From: tommie <tommie () techTHEORY net>
Date: Tue, 14 Nov 2006 15:40:06 -0500
How do they get access to their email if they don't already have the password? a chicken and egg scenario. Is this a public wi-fi network or private? If it is private, setup a login/passwd system for users prior to them connecting. If it's public (like anon FTP), you are going to get dude () dude com all day. TP Will Yonker wrote:
<quote who="Jason Muskat, GCFA, GCUX, de VE3TSJ">Hello, The security issue would be if one could verify 3rd party email addresses. An organization being lazy and cheap wanting not to verify users before granting them access is questionable organization decision, not a security issue.From: Mister Dookie <misterdookie () gmail com> Is there a way to verify that an e-mail address (e.g."johnsmith () company com") is valid and exists or does not exist (is a fake e-mail address) without actually sending a message to that address and awaiting the response? Here's why this is a security issue. Our company administers a small "municipal-type" 802.11 network where for limited open-access the only form of ID we require is an e-mail address and a password. We simple don't have the resources to send out e-mails and then have verification and so forth. We are trying to prevent users from entering fake addresses into our system. We want at least a small amount of accountability. We would like to be able to do a quick check, say query an IMAP, POP3, or SMTP and check to see if there is actually an account at that address without sending a verification e-mail and waiting for users to click on a link or get something that bounces back. Does something like that exist? I do recognize that somebody can enter a valid e-mail address that does not belong to them, but we are trying to address one issue at a time. At this point we are just trying to prevent people who give us "dude () dude com" from getting on to our network.I agree, you really should require a working email address that they have access to. I would say your best bet would be to use the same sort of verification that most email lists use. You could easily automate the whole thing. It could go something like this: The user turns on his PC and you assign him all the right DHCP info. He then opens his browser and is directed to your login page. He then has to enter his email address if he needs to create an account. Then you send him an email with the password. Once he enters the password, he is granted access to the proxy (which connects to the internet). All quite simple to setup I think. I haven't tried to automatically create squid accounts but I'm guessing that would be trivial. You could rip the code from majordomo if there isn't already a package out there to do just this. The advantage here is, you can do all kinds of access control in the proxy. You could even add something like dansguardian for content filtering. Anyway, enough of my rambling.
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Verifying E-Mail Addresses Jason Muskat, GCFA, GCUX, de VE3TSJ (Nov 03)
- Re: Verifying E-Mail Addresses Will Yonker (Nov 14)
- Re: Verifying E-Mail Addresses tommie (Nov 15)
- Re: Verifying E-Mail Addresses AragonX (Nov 15)
- RE: Verifying E-Mail Addresses Isaac Van Name (Nov 15)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 16)
- Re: Verifying E-Mail Addresses tommie (Nov 15)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 15)
- RE: Verifying E-Mail Addresses Isaac Van Name (Nov 16)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 17)
- Re: Verifying E-Mail Addresses Will Yonker (Nov 14)
- <Possible follow-ups>
- Re: Verifying E-Mail Addresses Andrew Wheeler (Nov 16)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 17)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 17)
- Re: Verifying E-Mail Addresses Hylton Conacher(ZR1HPC) (Nov 20)