[Owasp-alabama] [Bham_InfraGard] Email Research posted today

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Mon Oct 26 12:56:23 EDT 2009

Great points Dan.

I'm not trying to say that emails attacks, or spoofing is "new". What I'm
saying is that protection has not changed. So we still have the same basic
problems with the SMTP protocol that we had 10 years ago. And even the
latest "email security solutions" cannot protect against directed attacks. I
wanted to document "facts" and not observation or theory. So I put it all on

The reason I published the research, is to provide a baseline and get vendor
response. Then all of this can be put together and provide better insight
into the issue. Right now I'm working with Cisco, SonicWall, and Palm in
attempt to identify a better solution or somehow mitigate the risk of direct

You also brought up another point. The ability to use a valid domain in
these attacks.  As we speak, I'm going an engagement for a client. Instead
of spoofing the sender, we will send the email based attacks from a now
valid domain. I just registered it this morning.

So the users will get an email with links to a new blog. This points back to
a valid domain that I own.

So this is valid email. By design, it should always be delivered to the
user. Not magic, no spoofed senders.  But if the users click on a link, or
just enable HTML preview we will get all of the UserAgent information.

IP Address
Screen size/ Resolutions

Again, not much more than information disclosure and standard practice by
all of the web servers in the world. But now we know specific into about the
target, and have the ability to craft directed exploits AND human
interaction with credential harvesting. 

How do you protect against this? This is now legitimate email from an
RFC/business/technology point of view. So the best way to stop this attack,
is to hope that a user identifies it or asks questions to their IT
department and it gets investigated. So this gives a 30-min to 1 hour window
to freely attack the targeted users without being stopped. Maybe it doesn't
get identified at all.

The only aspect that raises a flag from a technology analysis perspective
would be that the domain was registered today, and it will be sent to 30
users in a period of 5 minutes, AND this is the first time the target will
have seen the domain and sender email.


-----Original Message-----
From: birmingham_chapter-bounces at listserv.infragard.org
[mailto:birmingham_chapter-bounces at listserv.infragard.org] On Behalf Of
Daniel Clemens
Sent: Monday, October 26, 2009 11:29 AM
To: owasp-alabama at lists.owasp.org
Cc: birmingham; editors at darkreading.com; David.R.Wharton at regions.com
Subject: Re: [Bham_InfraGard] [Owasp-alabama] Email Research posted today

On Oct 26, 2009, at 10:44 AM, owasp-alabama at lists.owasp.org wrote:

> So think like a bad guy for a minute.. why would you want to go  
> after the
> network/application layers if there is a good chance of being caught  
> or
> triggering alarms? Why not go after users directly? After all, they  
> are
> holding access to all the protected data and email security is not  
> going to
> identify your attacks from a technology perspective.

I think the primary argument people are having is that the research  
stating this is a new vulnerability, really isn't a new vulnerability  
at all .
In short your research really says this: (this is how I read it and I  
am open to being wrong)

1) Spam exists
2) Users have expectation that protection occurs when you buy a  
product, which sort-of works, but not the way they are expecting it to  
work; and who can blame them, they don't even know how the SMTP  
protocol works and SPAM == v00d00 magic.
3) User education is the best guard against spam based attacks.
4) Blended attacks against easy targets can occur with spam + user  
interaction || (or) browser exploitation and or client side  
application exploitation via user interaction.

I don't disagree with these points, nor do I think anyone on the list  
thinks otherwise . I think most people don't agree that this is  
something new *[1] only because we all agree with the first and second  
item on the list being 'Spam exists' and end users get duped into  
buying a product versus a process , thinking they are now 'secure from  

By engaging in discussion prior to the Dark Reading announcement , as  
a reader of this list I felt that many people offered good arguments  
and feedback into the subject for your research, yet taking the avenue  
of publication may have been a bit over exaggerated.

I still agree that user education , content filtering and defense in  
depth are the best defense against this type of vulnerability class  
(targeted spam messages with possible hostile payloads, or enticing  
messages ).

I don't think the research was anything ground breaking or really new  
since I already believed that SPAM exists and targeted spam will get  
to its destination in some form or fashion; (and that any product  
stating so is probably lying like every other vendor to an extent  
since they are selling general spam protection and not really selling  
'_one-off protection_' ).

Personally , I don't even care about sending spoofed email to the  
destination. I just buy a similar domain name and send an email to the  
destination hoping they will goto the site I copied to look just like  
their website. As an attacker I don't want to waste my spam, I want it  
to be delivered 99% of the time.

In the end, even if spoofed emails cannot be delivered the reality  
that similar named domains (or familiar content to the end user) will  
be able to trick users into some form of interaction, thus leaving the  
same problem existing which you are describing , minus the product, or  
mta variable; leaving user education and manipulation as the primary  
attack vector.

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851
"Moments of sorrow are moments of sobriety"

[1] * (with the exception for maybe one person)

Birmingham_chapter mailing list
Birmingham_chapter at listserv.infragard.org

More information about the Owasp-alabama mailing list