[Owasp-alabama] [Bham_InfraGard] Email Research posted today
owasp-alabama at lists.owasp.org
owasp-alabama at lists.owasp.org
Mon Oct 26 12:29:08 EDT 2009
On Oct 26, 2009, at 10:44 AM, owasp-alabama at lists.owasp.org wrote:
> So think like a bad guy for a minute.. why would you want to go
> after the
> network/application layers if there is a good chance of being caught
> triggering alarms? Why not go after users directly? After all, they
> holding access to all the protected data and email security is not
> going to
> identify your attacks from a technology perspective.
I think the primary argument people are having is that the research
stating this is a new vulnerability, really isn't a new vulnerability
at all .
In short your research really says this: (this is how I read it and I
am open to being wrong)
1) Spam exists
2) Users have expectation that protection occurs when you buy a
product, which sort-of works, but not the way they are expecting it to
work; and who can blame them, they don't even know how the SMTP
protocol works and SPAM == v00d00 magic.
3) User education is the best guard against spam based attacks.
4) Blended attacks against easy targets can occur with spam + user
interaction || (or) browser exploitation and or client side
application exploitation via user interaction.
I don't disagree with these points, nor do I think anyone on the list
thinks otherwise . I think most people don't agree that this is
something new * only because we all agree with the first and second
item on the list being 'Spam exists' and end users get duped into
buying a product versus a process , thinking they are now 'secure from
By engaging in discussion prior to the Dark Reading announcement , as
a reader of this list I felt that many people offered good arguments
and feedback into the subject for your research, yet taking the avenue
of publication may have been a bit over exaggerated.
I still agree that user education , content filtering and defense in
depth are the best defense against this type of vulnerability class
(targeted spam messages with possible hostile payloads, or enticing
I don't think the research was anything ground breaking or really new
since I already believed that SPAM exists and targeted spam will get
to its destination in some form or fashion; (and that any product
stating so is probably lying like every other vendor to an extent
since they are selling general spam protection and not really selling
'_one-off protection_' ).
Personally , I don't even care about sending spoofed email to the
destination. I just buy a similar domain name and send an email to the
destination hoping they will goto the site I copied to look just like
their website. As an attacker I don't want to waste my spam, I want it
to be delivered 99% of the time.
In the end, even if spoofed emails cannot be delivered the reality
that similar named domains (or familiar content to the end user) will
be able to trick users into some form of interaction, thus leaving the
same problem existing which you are describing , minus the product, or
mta variable; leaving user education and manipulation as the primary
| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850 | | o. 866.267.8851
"Moments of sorrow are moments of sobriety"
 * (with the exception for maybe one person)
More information about the Owasp-alabama