Extra Feeds & Services »

Page Not Found

Error: Invalid Request

Comments

Re: Email Address Forgery Colin Dijkgraaf  –  Jun 17, 2004 6:57 PM PDT

Yes I agree it is complex. Just validating the domain is not sufficient, the whole e-mail address needs to be validated, and not only that it is a valid e-mail address, but that the person trying to use that e-mail address has the rights to send mail under that address.  This will require a fundamental change in the protocol currently used to send mail (SMTP), and will require that the server accepting mail to send (SMTP server) be able to identify the sending user, and verify that the user has the rights to use that e-mail address.
For web bases e-mails this is fairly straight forward, as the user has to log in (and hence verify who they are).  The problem is with dialup users and as mentioned, sites that send e-mails on behalf of someone such as electronic post card sites. 

Dialup user get verified as a legitimate dialup user, but there is no currently no mechanism for the mail server to 1) get this user name, 2) get a list a valid e-mail addresses that user is authorised to use.
Things get further complicated if the user has their own domain and wants to use an e-mail address which is not one assigned to them by their internet provider, there is no mechanism where the ISP can check the domain records to see if someone using a valid domain has rights to send e-mails with an address using that domain.
Things are further complicated by that there can be several different e-mail addresses in an e-mail, From, Sender, Reply-to: and different validations rules could be required when verifying these.

The fundamental underlying problem is there is no global user verification method, that allows a server to verify a request to send an mail to verify that it is being initiated by someone who has the rights to use that e-mail address in the From: or Reply-to: addresses.  The Sender address should probably be used to record which service is sending the e-mail, such as a mailing list or postcard site, and this should probably be tied to be verified against a server or group of servers.

Reply  |  Link  |  Report Problems
Re: Email Address Forgery Suresh Ramasubramanian  –  Jun 21, 2004 3:11 AM PDT

That's a short, and really good summary of what MARID finally amounts to :)

Also - my followup to Esther's article, at http://www.circleid.com/article/607_0_1_0_C/#1087811284

Reply  |  Link  |  Report Problems

To post comments, please login or create an account.

Related News

Two Europeans Charged for DDOS Attacks in U.S.

  • Oct 03, 2008
  • Comments: 0

Stay Safe Online: Fifth Annual National Cyber Security Awareness Month

  • Oct 02, 2008
  • Comments: 0

Finnish Security Researchers Decide to Go Public With a TCP/IP Flaw

  • Oct 01, 2008
  • Comments: 0

Security Experts Concerned Over Availability of Software Development Kits for Mobile Devices

  • Sep 24, 2008
  • Comments: 0

Former Hacker Reports on Types of Hackers and Their Behaviors

  • Sep 23, 2008
  • Comments: 0
View More

Related Blogs

The Root of All Email

  • Oct 06, 2008
  • Comments: 0

Inside a Managed Spam Service

  • Oct 06, 2008
  • Comments: 0

Time for Self Reflection

  • Oct 05, 2008
  • Comments: 0

Internet Vigilantism

  • Sep 24, 2008
  • Comments: 1

Estonian Cyber Security Strategy Document: Translated and Public

  • Sep 23, 2008
  • Comments: 1
View More

Industry Updates

NeuStar Completes Trial of SIP-IX VoIP Interconnection Exchange Service with COMPTEL Members

.ORG Talks with Dan Kaminsky on DNSSEC

  • By PIR
  • Views: 236

dotMobi Announces 2.0 Release of Award-Winning DeviceAtlas Mobile Device Database

Hostway Offers Discount on Newly Expanded .Pro TLDs

dotMobi Announces Special Online Premium Domain Name Auction with Leading Auctioneer Sedo

View More

Advertise  |  About IDG TechNetwork  |  Become a Member Site  |  Privacy Policy