[Owasp-leaders] Email Security Research

Joshua Perrymon josh at packetfocus.com
Wed Oct 14 15:49:02 EDT 2009

Hey James,


In my testing, I did several scenarios using the 0px IMG code to track if
users opened the email. This lets an attacker know that it's getting to the
inbox and bypassing security controls.


Example Code Below

<a href="http://phishcamp.web-stat.com">

<img style="border:0px;" alt="web statistics"



Outlook did not seem to mind this, however- it did not like advanced
tracking that used Scripts. It instantly put those into Junk Mail unless the
email account was trusted.


Also, the user agent info sent over by looking at the IMG lets the attacker
know much info about the user agent, browser, OS, display size, etc.  This
is also used on phishing sites to direct users based on browser, OS, etc.
The idea is to exploit Client side OS/Browser if possible. Since they can
direct users to the appropriate exploit, this makes it much more successful.


I'm looking into exploit outlook directly, or sending links that will cause
outlook to perform an action.  





From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of McGovern, James
F. (eBusiness)
Sent: Wednesday, October 14, 2009 2:04 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Email Security Research


Is there merit in also talking about email from a development perspective?
For example, many email's are sent using HTML email? Would Outlook be
subject to XSS? Sometimes folks also like to put a one-pixel image in an
email that makes an HTTP call to an application for tracking purposes which
would "correlate" the email to a known identity. Could this style "leak"



From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Joshua Perrymon
Sent: Wednesday, October 14, 2009 12:44 PM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] Email Security Research

I did a talk yesterday on phishing, and I walked the crowd through an attack
on a domain I own.   For this domain, the email is hosted and I just use POP
or IMAP to get it.   On a separate client laptop, I had 4 client email
programs running


1)      Outlook 2007

2)      Microsoft Mail (VISTA)

3)      Thunderbird

4)      Opera Mail Client.


At the end of the demo, we determined that hosted email provided little or
no protection against targeted (Non-blacklisted) phishing attacks, other
than Microsoft clients not allowing IP addresses in links or email body.
None of the clients kept track of attempts, meaning that you could send a
"good" email from the same address, right after sending an email that got
caught in a phishing filter.


I would also like to note, that my new PALM PRE never Identified a single
phishing email, no matter what was in the body or subject.


Industry Questions:


1)      So now, I'm trying to decide at what point does a company start
hosting email internally?


2)      Would you think that a large number of companies use hosted email?


3)      Do clients use Email Security (Hardware) when using remote email


4)      If clients have email hosted internally, what security controls are
applied to identify email attacks?


o   Inbound SMTP scanning?

o   Email Security Hardware?

o   Email Relay Scanning?

o   Email Server Hardening/Configuration/Security

o   Client Level Controls 




I will be writing an OWASP paper on this topic, and keeping track with the
results.   I'm just trying to understand what email security fails on so
many levels.  I understand that there are a lot of dumb users, but
technology should do a better job at identifying attacks.




Joshua Perrymon, CEH, OPST, OPSA

CEO PacketFocus LLC

Josh at packetfocus.com



Fax: (877) 218-4030

www.packetfocus.com <http://www.packetfocus.com/> 


President Alabama OWASP Chapter www.owasp.org <http://www.owasp.org/> 

Selected for "Top 5 Coolest hacks of 2007" Dark Reading/ Forbes.com





This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091014/b704ff55/attachment.html 

More information about the OWASP-Leaders mailing list