E-Mail Forgery in Netscape

E-Mail Forgery in Netscape

Post by Robert Bagwi » Sat, 10 Jun 1995 04:00:00



: Has anyone dealt with the possibility of e-mail forgery in Netscape? If
: you change your e-mail name and address to someone else's, the system
: will accept it and send the message. We are very concerned about this and
: would like feedback from anyone regarding solutions, opinions, tips or
: whatever.

If you're worried about that, then your attitude should be that ALL
email that wasn't authenticated using strong cryptographic methods are
potential forgeries.  As far as I know, the only way to be relatively
confident that email isn't forged is to know that the sender and
recipient are on single user machines with local digital
signature/encryption capability, and that the authentication mechanism
is relatively resistant to eavesdropping, spoofing, hijacking, etc.  Any
email that doesn't include a digital signature that the recipient can
authenticate, and any email from a multi-user or network server
machine could be a forgery.

--

 
 
 

E-Mail Forgery in Netscape

Post by james mularadel » Tue, 13 Jun 1995 04:00:00


 : Has anyone dealt with the possibility of e-mail forgery in Netscape? If
 : you change your e-mail name and address to someone else's, the system
 : will accept it and send the message. We are very concerned about this and
 : would like feedback from anyone regarding solutions, opinions, tips or
 : whatever.

Your logs should have the name of the system that sent that letter.
You could then be able to trace back  to see who was on that machine
at the time it was used.  Unless of course it was a general purpose
system with no login then all you can do is live with it..  We've used
this method to catch several students sending around anonymous and
false e-mail.  

You could have everyone in the office/department/organization go to
pgp signed e-mail which might be a pain in the *in the long run.

Jim

 
 
 

E-Mail Forgery in Netscape

Post by Thomas Roessl » Tue, 13 Jun 1995 04:00:00




> : Has anyone dealt with the possibility of e-mail forgery in Netscape? If
> : you change your e-mail name and address to someone else's, the system
> : will accept it and send the message. We are very concerned about this and
> : would like feedback from anyone regarding solutions, opinions, tips or
> : whatever.

When the Sender: header is correctly set (e.g. by the MTA), you don't have
a forgery. At least sendmail DOES set the Sender: header.
 
 
 

E-Mail Forgery in Netscape

Post by Shantanu G Ta » Wed, 14 Jun 1995 04:00:00



: : Has anyone dealt with the possibility of e-mail forgery in Netscape? If
: : you change your e-mail name and address to someone else's, the system
: : will accept it and send the message. We are very concerned about this and
: : would like feedback from anyone regarding solutions, opinions, tips or
: : whatever.

  I am not sure why you are worried about netscape.  There are other ways      
to send fakemail too.  Look at telnet!.                          
--
Shantanu Tank

 
 
 

E-Mail Forgery in Netscape

Post by Peter Svanber » Thu, 15 Jun 1995 04:00:00





> : : Has anyone dealt with the possibility of e-mail forgery in Netscape? If
> : : you change your e-mail name and address to someone else's, the system
> : : will accept it and send the message. We are very concerned about this and
> : : would like feedback from anyone regarding solutions, opinions, tips or
> : : whatever.

>   I am not sure why you are worried about netscape.  There are
> other ways to send fakemail too.  Look at telnet!.                          

I agree that the problem is not new, but if you compare

(A) the number of people using Netscape and having competence
    enough to fill in a preferences form with false name and
    e-mail address and another form with the e-mail contents

(B) the number of people having knowledge about RFC 822 and the
    SMTP protocol and competence enough to use Telnet to send
    an authentic-looking e-mail

you must admit that (A) is far more numerous than (B). So, the
problem is not new, but Netscape has made it worse. This does
not improve the reputation of Internet, on which they depend to
earn their living... On the other hand, an e-mail sending
facility in Netscape is inevitable, and I can't see that there
is -- for the moment -- any other way to do it in, so...

(Well, on Unix, Netscape *could* disallow using a false e-mail
address in the From: field, couldn't it?)
---

Dept of Num An & CS,
Royal Inst of Tech                          Phone: +46 8 790 71 40
S-100 44  Stockholm, SWEDEN                 Fax:   +46 8 790 09 30

 
 
 

E-Mail Forgery in Netscape

Post by Michael Shiel » Thu, 15 Jun 1995 04:00:00




> Sending mail in another person's name has always been
> trivially easy.  Sometimes, this is even considered GOOD (what about
> secretaries sending mail in their bosses' names??)!!!

Yep, and RFC 822 specifically mentions that as a time to manually change
the From: header... and add a Sender:.
--
Shields.
 
 
 

E-Mail Forgery in Netscape

Post by Falco columbari » Thu, 15 Jun 1995 04:00:00




=


= > : : Has anyone dealt with the possibility of e-mail forgery in Netscape? If
= > : : you change your e-mail name and address to someone else's, the system
= > : : will accept it and send the message. We are very concerned about this and
= > : : would like feedback from anyone regarding solutions, opinions, tips or
= > : : whatever.
= >
= >   I am not sure why you are worried about netscape.  There are
= > other ways to send fakemail too.  Look at telnet!.                          
=
= I agree that the problem is not new, but if you compare
=
= (A) the number of people using Netscape and having competence
=     enough to fill in a preferences form with false name and
=     e-mail address and another form with the e-mail contents
=
= (B) the number of people having knowledge about RFC 822 and the
=     SMTP protocol and competence enough to use Telnet to send
=     an authentic-looking e-mail
=
= you must admit that (A) is far more numerous than (B). So, the
= problem is not new, but Netscape has made it worse.

What about Eudora, NewsWatcher, or any number of Mac- and PC-based
mail and news applications???  ALL of them allow you to easily forge
your identity by filling out a simple preference box.

The problem is not at all new with Netscape.  And, although Netscape
does have news and mail capabilities, I don't think either of those are
being used any more than all the POP and NNTP clients out there.

And the last time I checked, Eudora even says in its documentation that
no pretense has been made to verify the sender's e-mail address and
there probably never will be.

The problem is not new at all.  The only thing about Netscape is that
this particular application brought up this particular "bug" at this
particular time when everyone is catching net fever.

Besides, it's a trivial matter to put a bad return address on a paper
envelope, and the US Post Office will still deliver it and make it look
just as official as an envelope with a good return address.  So, what's
the fuss?  Sending mail in another person's name has always been
trivially easy.  Sometimes, this is even considered GOOD (what about
secretaries sending mail in their bosses' names??)!!!  Why the sudden
paranoia?  Just because it's electrons instead of ink??  Why should
verification of e-mail be any more stringent than the verification of
paper mail?

--
Falco columbarius

Just another usenet junkie

 
 
 

E-Mail Forgery in Netscape

Post by Patricio Poble » Thu, 15 Jun 1995 04:00:00



> What about Eudora, NewsWatcher, or any number of Mac- and PC-based
> mail and news applications???  ALL of them allow you to easily forge
> your identity by filling out a simple preference box.

And if you want something that really _encourages_ people to forge e-mail,
go to http://www.netcreations.com/fakemail/.

Patricio Poblete

 
 
 

E-Mail Forgery in Netscape

Post by Kari E. Hurt » Fri, 16 Jun 1995 04:00:00


[ Added comp.mail.sendmail as receiver.
  Followups to comp.security.misc and comp.mail.sendmail. ]


?When the Sender: header is correctly set (e.g. by the MTA), you don't have
?a forgery. At least sendmail DOES set the Sender: header.

Sendmail 8 does NOT set Sender: -header (real sender is put to comments
of Received: -header):



To: hurtta
Subject: Testing ...

Foo
.

From hurtta  Thu Jun 15 10:40:11 1995

Date: Thu, 15 Jun 1995 10:39:31 +0300


To: hurtta
Subject: Testing ...
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Foo


[ Comment cc'ed to Thomas Roessler ]

 
 
 

E-Mail Forgery in Netscape

Post by Cat_Eating_Da » Fri, 16 Jun 1995 04:00:00



: : Has anyone dealt with the possibility of e-mail forgery in Netscape? If

No-one needs Netscape to forge e-mail.  All you have to do is telnet to
port 25 on a mail relay box and follow the instructions from
ALT.2000 FAQ.
                                Lt. Sick Puppy
                                the Cat_Eating_Dawg
                                Stealth Starship Photonics Engineer

 
 
 

E-Mail Forgery in Netscape

Post by Peter Svanber » Fri, 16 Jun 1995 04:00:00



Quote:> What about Eudora, NewsWatcher, or any number of Mac- and PC-based
> mail and news applications???  ALL of them allow you to easily forge
> your identity by filling out a simple preference box.

You're right, there is no difference, except that -- as you
point out -- Netscape is very hot and spread.

Quote:> The problem is not at all new with Netscape.  And, although Netscape
> does have news and mail capabilities, I don't think either of those are
> being used any more than all the POP and NNTP clients out there.

Perhaps. There is the "mailto" URLs but I don't know how much
they are used.

Quote:> Besides, it's a trivial matter to put a bad return address on a paper
> envelope, and the US Post Office will still deliver it and make it look
> just as official as an envelope with a good return address.

I can see two differences: You normally sign paper letters and
there are more steps from thought to an addressed, enveloped,
stamped sent paper letter -- a higher threshold. But this
implies that the possible increase is with impulse forgery,
which maybe is not so dangerous, even if it can be annoying.

Anyhow it's important that Internet e-mail users are *aware*
of the problem.
---
Peter Svanberg

 
 
 

E-Mail Forgery in Netscape

Post by The ~Mad Doc » Mon, 19 Jun 1995 04:00:00






> : : Has anyone dealt with the possibility of e-mail forgery in Netscape? If

> No-one needs Netscape to forge e-mail.  All you have to do is telnet to
> port 25 on a mail relay box and follow the instructions from
> ALT.2000 FAQ.

Why make them go to ALL that trouble in finding alt.2000.faq - Be kind
and generous and ...

    telnet <mail machine> 25

    helo mailer.mars.net
    HELLO pleased to meet you
    rctp to: <username>

    data

   <message>

:)

--
Maddoc

_ATTENTION____ATTENTION____ATTENTION____ATTENTION____ATTENTION____ATTENTION_
SCREWNet<tm>IACS, C.P.D. and BRAND_X   +44.181.760.1962   IP 158.152.21.152

World.Wide.Web Multimedia Exchange with a difference towards the BALLISTIC!!

 
 
 

1. email forgery issues/questions

I'm an individual pc user with about average knowledge of computer
techniques and tools.

I'm trying to find out if there is any practical way for the little guys to
be able to defend once they've come under an email forging attack?

I know there is a moderate amount of discussion going on concerning how to
prevent this vis-a-vis commercial networks, systems administrators, and
network technical people,but I see no fixes for pc users who come under
attack.  It should be noted, however, that the systems guys probably mostly
have their own pcs at home, and/or family who does.......and, those pcs too
may be coming under attack soon.

Using Spamcop or related type services to parse headers may well only get us
a fake spammer ISP or server who hosts spammers.  So, we track the guy down,
but then can't do anything to prevent him/her continuing the forging
activity, short of bringing a law suit against him/her IF we can even get a
valid, genuine identiy and location.

Right now, the only defense for the little guy that I see is simply to
change ISPs and get a new email address, which, of course, can be a bit of a
pain, in many cases.

To know how to fix something, we must first thoroughly understand the
problem.  So, I'd appreciate answers to the following questions which bring
technical issues down to my user level, and may benefit others in coming up
with a fix:

Q:  how do the guys forging my email address get it to begin with?
A:  My guess is through packet sniffers.  Is this the case, though?

Q:  are there ways that they can hide behind spammer friendly servers, or
even spoof their servers into thinking it's actually someone else sending
out spam mail?
A:  Seems like it.

Q:  seems like my email address alone isn't enough to trick my ISP mail
server into accepting mail with my email addy on it that comes in from
outside the ISP net.
If this is so, what data bits does a successful email address forger need?
A:  ???

Q:  If the question above is basically yes, then how does the forger get
these data bits?
A:  is it via packet sniffing, again?

Q:  Is there anything I'm doing that I shouldn't be doing, or that I'm not
doing that I should be doing which singles out my email address for a
foger/spammer to grab onto?
A:  ??????

Comments/thoughts/ideas welcomed.

2. (fwd) Re: WHAT IS A PARADOX (as concise and clear as possible)

3. Can I bypass a firewall to send email via Netscape?

4. au files

5. Netscape Communicator Email spoofing vulnerability

6. Custom UITypeEditor/IServiceProvider

7. bug reveals email address in Netscape 3.0, 3.01, 4.0b1

8. Increasing Memory on Velo 500

9. Software Allows Secure Email Via Netscape - NEWS.COM

10. Netscape Navigator 2.0 to implement secure E-Mail

11. FVS318 and AOL/Netscape web e-mail

12. Netscape Navigator 2.0 to implement secure E-Mail

13. Desperately need netscape-comment extension for Netscape Certificate Management System