Re: E-mail Address in WEB Browser

• To: patw@aqmd.gov
• Subject: Re: E-mail Address in WEB Browser
• From: "Daniel J. Boyle" <djb2413@is2.NYU.EDU>
• Date: Thu, 14 Dec 1995 09:33:42 -0500 (EST)
• Cc: dittrich@cac.washington.edu, www-security@ns2.rutgers.edu
• In-Reply-To: <vines.1gI8+XQsnkA@dbar7.aqmd.gov>

Internet email is by definition not secure. You can spoof email
by simply opening a connection and sending mail across any SMTP
port, as if you're someone else (see RCPT TO: Bill@Whitehouse.gov).
This is exactly what you're doing if you enter someone else's
email address in the Netscape mail fields. I don't think there
are any plans to change this in the Netscape browser. If you
want security go with something like Notes, but then anyone else
with a Netscape browser can act like you.

> Sorry, I guest I did not make my self clear the first time.  I want to know 
> if there are write up or plan to make the E-mail address you put in the web 
> browser more secure.  
> For example, I can put somebody-else E-mail address (on the mail server I 
> am using) on my Netscape Web browser, and visit some web site and sent 
> "mailto" messages under that assume name.  The mail would be sent to the 
> "mailto" address as the person I have put in the E-Mail options
> of the Netscape browser.
> 
> 
> -------------
> Original Text
> >From Dave Dittrich <dittrich@cac.washington.edu>, on 12/13/95 06:07 PM:
> > Can anyone tell me or is there any write up on the issue of verifying the 
> > E-Mail address that is entered into the WEB Browser.    
> 
> You could use a tool called "expn" (a Perl script that uses the SMTP
> EXPN or VRFY commands to try to validate email addresses), but the
> results may not be what you want.
> 
> I have tried using such a mechanism to validate email addresses (not
> for web services, but to try to expand and validate email addresses
> for a question tracking system).  I can tell you from my experience
> that this is a very difficult and unreliable task (if you care about
> using the results to do something akin to directory services; just
> checking to see if a given email address will be accepted by an SMTP
> delivery agent is a bit more reliable).  The main reasons for this are
> that the EXPN/VRFY commands of SMTP (the main email delivery protocol
> on the Internet) do not give easy to interpret results, MX forwarding
> configurations used by many large sites makes it difficult to get the
> name (or comment) information that accompanies addresses, and many
> email gateways (e.g., AOL, Compuserve, Microsoft Mail servers, etc.)
> don't implement EXPN/VRFY commands.
> 
> Just pray that something like X.500 (or any other directory service,
> for that matter) gets adopted by the industry.
> 
> -- 
> Dave Dittrich                  Client Services, Computing & Communications
> dittrich@cac.washington.edu    University of Washington
> 
> <a href="http://www.washington.edu/People/dad/">
> Dave Dittrich / dittrich@cac.washington.edu</a>
> 

• Re: E-mail Address in WEB Browser
• From: patw@aqmd.gov

• Previous: Re: your mail
• Next: Re: E-mail Address in WEB Browser
• Index(es):
  • Index
  • Thread