[Owasp-singapore] Fwd: [Owasp-leaders] Email Security Research Initial Results

Wong Onn Chee ocwong at usa.net
Tue Oct 20 21:14:38 EDT 2009


-------- Original Message --------
Subject: 	[Owasp-leaders] Email Security Research Initial Results
Date: 	Tue, 20 Oct 2009 15:11:48 -0500
From: 	Joshua Perrymon <josh at packetfocus.com>
Reply-To: 	josh at packetfocus.com, owasp-leaders at lists.owasp.org
Organization: 	PacketFocus LLC
To: 	<owasp-leaders at lists.owasp.org>

I wanted to update on the email security research we are doing.


Last week, we contacted 7 different enterprise networks, using different
email security solutions from various vendors. This list included
appliances, secure messaging services, hosted and in-house. Each contact
approved, so we sent a spoofed email and monitored/measured the results.
We are now compiling the information, and giving the vendors a chance to


Results Overview:

But the results were that our spoofed email attacks got by 100% of all
the latest email security controls and were delivered to the inbox. AND,
the client could click on the link without the client email program or
browser setting off any alarms or alerts. This is especially dangerous
with Smartphone's as they make it very hard to dig into the email
headers, if not impossible.


All the tests were sent using our testing framework, and the emails were
the same. Only thing changed was the TO: address for each test.  The
FROM: was clearly spoofed, and did not match up with our sending email


I was told that most current email security appliances/services should
be able to pick up on spoofed emails, especially from well known brands
(Linkedin, EBay, PayPal, Microsoft, etc).


So to be fair, I'm going to send the research to each vendor and give
them time to respond before releasing details.


If you have email security controls in place, and would like for me to
send you a test email to be included in the research let me know. I'm
planning to release the research every Wednesday over the next month


1)      Email Research -- SaaS, Appliances, Vendor Security

2)      Client Security (Outlook, Outlook Express, Opera Mail,
Thunderbird, etc)

3)      Smartphone email client security (Iphone, Palm, Blackberry)

4)      Client exploit research




Joshua Perrymon, CEH, OPST, OPSA

CEO PacketFocus LLC

Josh at packetfocus.com <mailto:Josh at packetfocus.com>



*Fax: (877) 218-4030*

www.packetfocus.com <http://www.packetfocus.com/>


President Alabama OWASP Chapter www.owasp.org <http://www.owasp.org/>

Selected for "Top 5 Coolest hacks of 2007" Dark Reading/ Forbes.com





-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20091021/944b5c31/attachment.html 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Attached Message Part
Url: https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20091021/944b5c31/attachment.pl 

More information about the Owasp-singapore mailing list