Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

nrao wwwxxx, xxxxxdup, procmail change subject header, wwwXxx not20, Wwwxxx.doks sas, linux raid resync after reboot, bind-address mysql multiple, sanibleone xxxx, ftp://192.168.100.100/, www.xxxcon

Links

XODOX
Impressum

#1: An attack waiting to happen?

Posted on 2008-04-24 03:17:39 by Alan Clifford

A few weeks ago I sent an email from my home email address to Mr. A. at
work.

Today, Mr. B. sent an email to Mr. A. and me, all internal at work. Mr.
A. replied, but his reply was sent to my home email address. Then Mr. B.
replied and, again, the email was sent to my home email address.

It seems to me that the Exchange/Outlook mail system was looking at the
comment part of the to:/cc: fields and found "Alan Clifford" and sent the
emails to the wrong address. Certainly, in Outlook, email addresses are
not displayed, just "Alan Clifford"

Presumably, I could choose a collegue at random and send an email from
home with her name in the comment part and an address at my domain, to
everyone at work and I would potentially have seeded Exchange/Outlook to
send all her work emails to the false address?

What if I sent false emails in the name of everyone at work to everyone
else?


--
Alan

( If replying by mail, please note that all "sardines" are canned.
However, unless this a very old message, a "tuna" will swim right
through. )

Report this message

#2: Re: An attack waiting to happen?

Posted on 2008-04-24 12:41:06 by Frank Slootweg

Alan Clifford <sardines@purse-seine.net> wrote:
>
> A few weeks ago I sent an email from my home email address to Mr. A. at
> work.
>
> Today, Mr. B. sent an email to Mr. A. and me, all internal at work. Mr.
> A. replied, but his reply was sent to my home email address. Then Mr. B.
> replied and, again, the email was sent to my home email address.
>
> It seems to me that the Exchange/Outlook mail system was looking at the
> comment part of the to:/cc: fields and found "Alan Clifford" and sent the
> emails to the wrong address. Certainly, in Outlook, email addresses are
> not displayed, just "Alan Clifford"

I think this was just an error of Mr. A..

When you sent your first message to Mr. A., your home email address
was probably added to A.'s address book, probably automatically,
because you were a 'new' sender, i.e. a new email address.

When A. replied to the internal at work message, he probably did more
than just reply. He probably did something like click on your name in
the To: list, got presented with your *two* email addresses, and chose
the wrong one.

So A.'s reply had the wrong address, so when Mr. B. replied it also
went to the wrong address. I.e. Mr. B. did - and probably could - not
spot A.'s error and hence did not correct it.

This is a quite common error with Outlook (and Outlook Express and
Windows Mail and ...), because they most of the time show only the name
and not the email address.

Anyway, that's just my experience in our small 150,000 people company.

I advise you to go to Mr. A. and see what's in his address book. I'm
sure *both* your addresses are in there. I.e. just let him create a new
message with "To:" set to "Alan Clifford" and I'm sure that Outlook will
present him with a list of both your addresses.

> Presumably, I could choose a collegue at random and send an email from
> home with her name in the comment part and an address at my domain, to
> everyone at work and I would potentially have seeded Exchange/Outlook to
> send all her work emails to the false address?

AFAICT, you wouldn't have tricked *Exchange/Outlook/etc.* into
anything, but you would have *increased* the *likehood* of the *users*
making a similar error as Mr. A. (probably) made.

> What if I sent false emails in the name of everyone at work to everyone
> else?

See above.

Report this message