On 05 Jun 2001 14:55:47 -0500, John McClenning wrote:
> On 05 Jun 2001 09:02:07 -0400, Michael Leone wrote:
> >
> >
> > > Hi,
> > >
> > > Right-click on their name in the headers. Their details will pop-up,
> > > with "add to contacts" underneath.
> >
> > That's not automatic; that's manually adding. He wants all addresses he
> > sends to/replies to added to the address book, with no user intervention.
> > That's what Outlook Express does.
> >
>
> Considering the following message I just received on the bugtraq mailing
> list, it might not be a good idea to automaticly add contacts. That is,
> unless we can prevent this sort of exploit.
The way to avoid this seems trivial. Simply disallow using e-mail
addresses in the Name field. So, any names in that match the form
[a-z,A-Z]*@[a-z,A-Z]*.[a-z,A-Z]* would be ignored during address
harvesting (I know I probably am not describing the filter correctly,
but you get the idea).
IIRC, one of the problems with Outlook is that it only shows the NAME
value when it recognizes an entry from its addressbook. This means that
the e-mail address isn't shown and this sort of bogus entry that is
harvested from incoming e-mail automatically is undetectable, unless the
user edits the NAME by right-clicking on it in the compose window. I
don't think Evolution does this currently. It might be desirable to
have this as an option on Evolution, though, since it makes the e-mail
client seem friendlier to naive users.
I agree with others sentiment that the harvesting feature should be
disabled by default.
> > Description:
> >
> > It's possible for remote user to cause messages written for one e-mail
> > address to be delivered to another e-mail address.
> >
> > Details:
> >
> > Outlook Express has option "Automatically put people I reply to in my
> > address book". Then enabled, this option causes Outlook to make
> > automatically new address book entries mapping NAME of received
> > message to e-mail ADDRESS. Then message is composed Outlook Express
> > checks address book for NAME and sets complete e-mail ADDRESS instead.
> >
> > Exploitation:
> >
> > Situation: 2 good users G1 and G2 with addresses [EMAIL PROTECTED] and
> > [EMAIL PROTECTED] and one bad user B, [EMAIL PROTECTED] Imagine B wants to get
> > messages G1 sends to G2. Scenario:
> >
> > 1. B composes message with headers:
> >
> > From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> > Reply-To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> > To: G1 <[EMAIL PROTECTED]>
> > Subject: how to catch you on Friday?
> >
> > and sends it to [EMAIL PROTECTED]
> >
> > 2. G1 receives mail, which looks absolutely like mail received from
> > [EMAIL PROTECTED] and replies it. Reply will be received by B. In this case
> > new entry is created in address book pointing NAME "[EMAIL PROTECTED]" to
> > ADDRESS [EMAIL PROTECTED]
> >
> > 3. Now, if while composing new message G1 directly types e-mail
> > address [EMAIL PROTECTED] instead of G2, Outlook will compose address as
> > "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> and message will be received by B.
> >
> > Workaround:
> >
> > Disable "Automatically put people I reply to in my address book"
> > option.
_______________________________________________
evolution maillist - [EMAIL PROTECTED]
http://lists.helixcode.com/mailman/listinfo/evolution
