[Owasp-leaders] Email Security Research Initial Results

Pete Perfetti peter.perfetti at owasp.org
Wed Oct 21 16:13:40 EDT 2009

Howdy Josh,


Thanks for sending this info out.  I am very interested in finding out more
about what you have learned. My partner and I are currently working an
incident response engagement and have put some countermeasures in place to
protect against some email threats. The attackers have changed tactics and
we have adapted accordingly, but some your research may be helpful to us, as
some of our countermeasures may help you or others. 


Several of the attacks involve email forgery with imbedded URLs, some of
those spoofed as well, in an attempt to entice targeted users to follow the
link. Once the user clicks the link, the computer is infected and the breach
is in progress. We implemented some countermeasures to this attack that
help, but do not entirely solve the problem.


Perhaps we can help each other out. Please feel free to call or email me if
you'd like to share more info.



Pete Perfetti

Chapter Leader


peter.perfetti at owasp.org


From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Joshua Perrymon
Sent: Tuesday, October 20, 2009 16:12
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] Email Security Research Initial Results


I wanted to update on the email security research we are doing.


Last week, we contacted 7 different enterprise networks, using different
email security solutions from various vendors. This list included
appliances, secure messaging services, hosted and in-house. Each contact
approved, so we sent a spoofed email and monitored/measured the results. We
are now compiling the information, and giving the vendors a chance to


Results Overview:

But the results were that our spoofed email attacks got by 100% of all the
latest email security controls and were delivered to the inbox. AND, the
client could click on the link without the client email program or browser
setting off any alarms or alerts. This is especially dangerous with
Smartphone's as they make it very hard to dig into the email headers, if not


All the tests were sent using our testing framework, and the emails were the
same. Only thing changed was the TO: address for each test.  The FROM: was
clearly spoofed, and did not match up with our sending email server.


I was told that most current email security appliances/services should be
able to pick up on spoofed emails, especially from well known brands
(Linkedin, EBay, PayPal, Microsoft, etc).


So to be fair, I'm going to send the research to each vendor and give them
time to respond before releasing details.


If you have email security controls in place, and would like for me to send
you a test email to be included in the research let me know. I'm planning to
release the research every Wednesday over the next month


1)      Email Research - SaaS, Appliances, Vendor Security

2)      Client Security (Outlook, Outlook Express, Opera Mail, Thunderbird,

3)      Smartphone email client security (Iphone, Palm, Blackberry)

4)      Client exploit research




Joshua Perrymon, CEH, OPST, OPSA

CEO PacketFocus LLC

Josh at packetfocus.com



Fax: (877) 218-4030

www.packetfocus.com <http://www.packetfocus.com/> 


President Alabama OWASP Chapter www.owasp.org <http://www.owasp.org/> 

Selected for "Top 5 Coolest hacks of 2007" Dark Reading/ Forbes.com





-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091021/439ef7b7/attachment.html 

More information about the OWASP-Leaders mailing list