[Owasp-alabama] [Bham_InfraGard] Email Research posted today

Mon Oct 26 12:29:08 EDT 2009

On Oct 26, 2009, at 10:44 AM, owasp-alabama at lists.owasp.org wrote:

> So think like a bad guy for a minute.. why would you want to go  
> after the
> network/application layers if there is a good chance of being caught  
> or
> triggering alarms? Why not go after users directly? After all, they  
> are
> holding access to all the protected data and email security is not  
> going to
> identify your attacks from a technology perspective.

I think the primary argument people are having is that the research  
stating this is a new vulnerability, really isn't a new vulnerability  
at all .
In short your research really says this: (this is how I read it and I  
am open to being wrong)

1) Spam exists
2) Users have expectation that protection occurs when you buy a  
product, which sort-of works, but not the way they are expecting it to  
work; and who can blame them, they don't even know how the SMTP  
protocol works and SPAM == v00d00 magic.
3) User education is the best guard against spam based attacks.
4) Blended attacks against easy targets can occur with spam + user  
interaction || (or) browser exploitation and or client side  
application exploitation via user interaction.

I don't disagree with these points, nor do I think anyone on the list  
thinks otherwise . I think most people don't agree that this is  
something new *[1] only because we all agree with the first and second  
item on the list being 'Spam exists' and end users get duped into  
buying a product versus a process , thinking they are now 'secure from  
SPAM'.

By engaging in discussion prior to the Dark Reading announcement , as  
a reader of this list I felt that many people offered good arguments  
and feedback into the subject for your research, yet taking the avenue  
of publication may have been a bit over exaggerated.

I still agree that user education , content filtering and defense in  
depth are the best defense against this type of vulnerability class  
(targeted spam messages with possible hostile payloads, or enticing  
messages ).

I don't think the research was anything ground breaking or really new  
since I already believed that SPAM exists and targeted spam will get  
to its destination in some form or fashion; (and that any product  
stating so is probably lying like every other vendor to an extent  
since they are selling general spam protection and not really selling  
'_one-off protection_' ).

Personally , I don't even care about sending spoofed email to the  
destination. I just buy a similar domain name and send an email to the  
destination hoping they will goto the site I copied to look just like  
their website. As an attacker I don't want to waste my spam, I want it  
to be delivered 99% of the time.

In the end, even if spoofed emails cannot be delivered the reality  
that similar named domains (or familiar content to the end user) will  
be able to trick users into some form of interaction, thus leaving the  
same problem existing which you are describing , minus the product, or  
mta variable; leaving user education and manipulation as the primary  
attack vector.

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851
"Moments of sorrow are moments of sobriety"

[1] * (with the exception for maybe one person)