Bugtraq mailing list archives
Forged FROM addresses/non-disclosed info in Outlook can lead to potential serious Social Attack
From: David Walker <bugtraq () grax com>
Date: Mon, 22 Jul 2002 09:19:19 -0500
You bring up some good points. I believe that all email programs should display name and email address to reduce the chances of just the attack you describe. One of the issues bothering me is the fact that mail servers will accept what you tell them meaning that I can easily send mail pretending to be from any domain. I propose that a new type of dns entry be created for authorized outgoing mail servers. Mail servers will be able to discover if the IP address connected to them is authorized to send mail for that domain and either deny the message or add a warning to it. I wrote a brief paper describing 2 methods of doing this at http://www.vorteon.com/papers/spam_reduction_through_dns.html and I would appreciate feedback on the ideas. If this solution were in place, forgers could not forge domains with the solution implemented and would be forced to use their own name or the name of some domain whose admin had not implemented this solution yet. On Wednesday 17 July 2002 03:19 pm, Intel Nop wrote:
(can I resubmit this, signed by the key for this email instead of the other key I signed it with, thnx). See below... I don't know if this has been discussed on bugtraq before, but I just thought it might be important to bring up. Noting Outlook Express specifically, even 6, is vulnerable to certain Social Attacks and interception/redirection of mail rather trivially, caused by non-disclosed header/email information in the From: address box. Outlook 2000 and previous versions, all have the same problem if viewed specifically from the preview pane only, (I don't know the stats on how many view specifically from the preview pane, but at my place of employment, it turns out to be plenty). I'm not a Microsoft outlook expert, nor have I had the time or effort to go and look for the cure, other than recommending to enforce some openPGP or other form of digital signature system for the business environment as to identify and confirm who you received mail from. This attack is very simple, as someone can easily go get a free web-based e-mail account and just know the name of the person they intend to masquerade and send the email to the unknowing user to socially engineer pertinent and possibly confidential information from the unknowing user, as I notice, when hitting reply to user, it still does not disclose the email address unless investigated further to the properties of the user name. Not to mention, it is also rather trivial to forge email addresses, and still contain a reply-address to the masquerading user who initiated the attack as well. This is probably widely known, but maybe not taken as seriously as it should be, and the use of One-way hash signatures for email authentication would be highly recommended in general to the public, as they do have certain software freely available that is quite trivial to use and requires little knowledge to operate. The possibilities of this attack are endless, and combined with a little social engineering, the level of confidential information that could be obtained is alarming. We need to have a rfc for Digital Trust on the Internet. Any takers to help establish one? Anyway, my two cents for the day. 0x90 http://www.invisiblenet.net - -- People will do tomorrow what they did today because that is what they
Current thread:
- Fwd: non-disclosed info in Outlook can lead to potential serious Social Attack. Intel Nop (Jul 18)
- Forged FROM addresses/non-disclosed info in Outlook can lead to potential serious Social Attack David Walker (Jul 22)