RE: Verifying E-Mail Addresses

["Isaac Van Name" <ivanname () southerlandsleep com>]

To TP:
Original> How do they get access to their email if they don't already have
the
Original> password? a chicken and egg scenario.

Not really... He was speaking of sending the password for the login page to
the person's provided email... I'd expect the person to know the password of
their own email.

To MD:
(snip)

Original> >>>We simple
Original> >>>don't have the resources to send out e-mails and then have
Original> >>>verification and so forth.

But you have the resources to find the mail server for an email address,
connect to it, and run the VRFY command, catch the response, allow or deny
them based on that response... automated... every time someone tries to
connect to your WAP?

It just seems easier to do the email with the password... It seems that a
lot of companies use this method, and I'm sure there's solid reasoning
behind it.  I know it's relatively simple to do in PHP, if that's your cup
of tea.  Anyways, if you can't count on the VRFY command working on some
mail servers, then sending an email is the only "foolproof" way you have
available to you.

I have no other thoughts on this, as the email solution seems the best, and
I'm sure someone will close this thread soon, anyways.


Isaac Van Name
Systems Administrator

"What good would you do with an ignorant employee? Ignorance is grounds for
dismissal..." - Mario Spinthiras
 
Open Source developing at its finest:
"Written in vim, W3C valid and UTF-8 encoded, for her pleasure."
 
Disclaimer:  This email is intended only to be used to feign intellectual
mastery of a subject or superhuman command of the English language, when
profanity is involved.  By reading this email, you are agreeing to cease all
correspondence with the sender upon realizing your own ignorance, and
furthermore to refrain from taking legal action against said sender when
your compounding ignorance crushes your inadequate self-esteem.  Have a nice
day.

Original> -----Original Message-----
Original> From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
Original> On Behalf Of tommie
Original> Sent: Tuesday, November 14, 2006 2:40 PM
Original> Cc: security-basics () securityfocus com
Original> Subject: Re: Verifying E-Mail Addresses
Original> 
Original> How do they get access to their email if they don't already have
the
Original> password? a chicken and egg scenario.
Original> 
Original> Is this a public wi-fi network or private? If it is private, setup
a
Original> login/passwd system for users prior to them connecting. If it's
public
Original> (like anon FTP), you are going to get dude () dude com all day.
Original> 
Original> TP
Original> 
Original> Will Yonker wrote:
Original> 
Original> ><quote who="Jason Muskat, GCFA, GCUX, de VE3TSJ">
Original> >
Original> >
Original> >>Hello,
Original> >>
Original> >>The security issue would be if one could verify 3rd party email
Original> addresses.
Original> >>An organization being lazy and cheap wanting not to verify users
before
Original> >>granting them access is questionable organization decision, not
a
Original> security
Original> >>issue.
Original> >>
Original> >>
Original> >>>From: Mister Dookie <misterdookie () gmail com>
Original> >>>Is there a way to verify that an e-mail address
Original> >>>(e.g."johnsmith () company com") is valid and exists or does not
exist
Original> >>>(is a fake e-mail address) without actually sending a message
to that
Original> >>>address and awaiting the response?
Original> >>>
Original> >>>Here's why this is a security issue. Our company administers a
small
Original> >>>"municipal-type" 802.11 network where for limited open-access
the
Original> only
Original> >>>form of ID we require is an e-mail address and a password. We
simple
Original> >>>don't have the resources to send out e-mails and then have
Original> >>>verification and so forth. We are trying to prevent users from
Original> >>>entering fake addresses into our system. We want at least a
small
Original> >>>amount of accountability.
Original> >>>
Original> >>>We would like to be able to do a quick check, say query an
IMAP, POP3,
Original> >>>or SMTP and check to see if there is actually an account at
that
Original> >>>address without sending a verification e-mail and waiting for
users to
Original> >>>click on a link or get something that bounces back. Does
something
Original> >>>like that exist?
Original> >>>
Original> >>>I do recognize that somebody can enter a valid e-mail address
that
Original> >>>does not belong to them, but we are trying to address one issue
at a
Original> >>>time. At this point we are just trying to prevent people who
give us
Original> >>>"dude () dude com" from getting on to our network.
Original> >>>
Original> >>>
Original> >
Original> >I agree, you really should require a working email address that
they have
Original> >access to.  I would say your best bet would be to use the same
sort of
Original> >verification that most email lists use.  You could easily
automate the
Original> >whole thing.  It could go something like this:
Original> >
Original> >The user turns on his PC and you assign him all the right DHCP
info.
Original> >He then opens his browser and is directed to your login page.
Original> >He then has to enter his email address if he needs to create an
account.
Original> >Then you send him an email with the password.
Original> >Once he enters the password, he is granted access to the proxy
(which
Original> >connects to the internet).
Original> >
Original> >All quite simple to setup I think.  I haven't tried to
automatically
Original> >create squid accounts but I'm guessing that would be trivial.
You could
Original> >rip the code from majordomo if there isn't already a package out
there to
Original> >do just this.
Original> >
Original> >The advantage here is, you can do all kinds of access control in
the
Original> >proxy.  You could even add something like dansguardian for
content
Original> >filtering.
Original> >
Original> >Anyway, enough of my rambling.
Original> >
Original> >
Original> >
Original> >
Original> >
Original> >
Original> 
Original>
---------------------------------------------------------------------------
Original> This list is sponsored by: Norwich University
Original> 
Original> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
Original> The NSA has designated Norwich University a center of Academic
Original> Excellence
Original> in Information Security. Our program offers unparalleled Infosec
Original> management
Original> education and the case study affords you unmatched consulting
Original> experience.
Original> Using interactive e-Learning technology, you can earn this
esteemed
Original> degree,
Original> without disrupting your career or home life.
Original> 
Original> http://www.msia.norwich.edu/secfocus
Original>
---------------------------------------------------------------------------
Original> 



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------