RE: SECURITY.NNOV: Outlook Express address book spoofing

["David F. Skoll" <dfs () roaringpenguin com>]

On Fri, 8 Jun 2001 Otto.Dandenell () iconmedialab com sg wrote:

> One simple method of adding security in this case would be to pop up a
> security alert when there is an attempt to add an address book entry where
> the real name portion is de facto an RFC compliant mail address. The user
> then can decide if he wants to allow the entry.

There are two problems with this:

1) I do not believe pop-ups are effective.  The entire Windows security
model is built on "warn-and-nag", and one more box will just annoy users
who will unthinkingly hit "OK".

2) I bet I could craft e-mail addresses which are not RFC-compliant,
but which almost every MTA will deliver anyway.  For example:

        dfs () roaringpenguin com.

is not RFC-compliant (note the trailing dot), but Sendmail happily
delivers it.  "Be liberal in what you accept" turns out to bite you.

I still maintain that very few legitimate full names have an "@" sign
in them, so those should be filtered out, no questions asked.  In
12 years on the Internet, I've never received mail from someone with an
"@" in his/her full name.

--
David.