[Owasp-leaders] Email Security Research Initial Results

Joshua Perrymon josh at packetfocus.com
Tue Oct 20 16:11:48 EDT 2009

I wanted to update on the email security research we are doing.


Last week, we contacted 7 different enterprise networks, using different
email security solutions from various vendors. This list included
appliances, secure messaging services, hosted and in-house. Each contact
approved, so we sent a spoofed email and monitored/measured the results. We
are now compiling the information, and giving the vendors a chance to


Results Overview:

But the results were that our spoofed email attacks got by 100% of all the
latest email security controls and were delivered to the inbox. AND, the
client could click on the link without the client email program or browser
setting off any alarms or alerts. This is especially dangerous with
Smartphone's as they make it very hard to dig into the email headers, if not


All the tests were sent using our testing framework, and the emails were the
same. Only thing changed was the TO: address for each test.  The FROM: was
clearly spoofed, and did not match up with our sending email server.


I was told that most current email security appliances/services should be
able to pick up on spoofed emails, especially from well known brands
(Linkedin, EBay, PayPal, Microsoft, etc).


So to be fair, I'm going to send the research to each vendor and give them
time to respond before releasing details.


If you have email security controls in place, and would like for me to send
you a test email to be included in the research let me know. I'm planning to
release the research every Wednesday over the next month


1)      Email Research - SaaS, Appliances, Vendor Security

2)      Client Security (Outlook, Outlook Express, Opera Mail, Thunderbird,

3)      Smartphone email client security (Iphone, Palm, Blackberry)

4)      Client exploit research




Joshua Perrymon, CEH, OPST, OPSA

CEO PacketFocus LLC

 <mailto:Josh at packetfocus.com> Josh at packetfocus.com



Fax: (877) 218-4030

 <http://www.packetfocus.com/> www.packetfocus.com


President Alabama OWASP Chapter  <http://www.owasp.org/> www.owasp.org

Selected for "Top 5 Coolest hacks of 2007" Dark Reading/ Forbes.com





-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091020/41065fa3/attachment.html 

More information about the OWASP-Leaders mailing list