The Danger of Email Signatures?
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: The Danger of Email Signatures?

  1. #1

    Question The Danger of Email Signatures?

    I've been told by a security expert that it's unwise to use standardized signatures (set to go out with every e-mail you send when the option is on) in any e-mail program. I've never understood this one, but from what little I do understand, it somehow leaves a hole for which you can be attacked through...or something like that...

    Can someone explain to me what the story is behind this? Why is this a risk?

  2. #2
    Senior Member
    Join Date
    Jul 2002
    Posts
    117
    I've never heard that one before, but now you've got me curious as well. Maybe it has something to do with HTML signatures and the possiblity of doing something malicious with that. Not really sure. Or, on a second thought, maybe folks put too much information into their signature that someone could use against an organization (thinking phone number prefix and war dialing).

    Just some thoughts of mine...

    alpha

  3. #3
    Senior Member
    Join Date
    Jul 2003
    Posts
    217
    I too find this a little weird. How is email signatures gonna be used to exploit a hole? What hole. An email signature is most of the time just text or at most html. there shouldnt be any hole for them to exploit.

    what alpha says could be it. using the info supplied to break in likephone numbers for wardialing. but thats not so much a hole as it is a user education problem. anyway, most of the time we use different sets of numbers for dial up access compared to the regular users tel numbers. also if you secure your network well then wardialing will not be a problem. even people without the numbers will try it anyway.

  4. #4
    Senior Member
    Join Date
    Mar 2003
    Posts
    245
    That is interesting.... I have only ever used plain ASCII sig's auto-generated from fortune which append to my mail when I start a new one in mutt. Perhaps if a sig is coming from an external source such as a URL or UNC pointer that can be tampered with to get a malicious file at the pointed to location. This assumes that your assailant has or can get access to the remote location and replace it's contents, which is easy in an NT-LAN or NFS environment within a company. From outside the network that the URL/UNC points to I am not so sure that it would be all that easy without compromising a bunch of hosts on the way.

    The really revealing info in an email is in the header, and that is not something that is easily
    covered up without something like a re-mailer service between the sender and recipient.
    Then again, I may have misunderstood your friend, and other A.O. members are familiar with
    a way to do something nasty with an email signature.

    Like I said though, very interesting thought AngelicKnight.
    Get OpenSolaris http://www.opensolaris.org/

  5. #5
    Banned
    Join Date
    Apr 2003
    Posts
    1,146
    I use multiple signatures, each with a specific purpose. One for office and professional use, the others for casual email or friends. I don't put sensitive informtion in them. Contact data, yes. My email, work phone, that kind of stuff. 'Course, I use plain text in my email.

    No HTML in the signature for me, thank you. Don't care for the junk when I get it and don't want to be a source of irritation for others. That is probably where the "security expert" thought the vulnerability exists.

    Wardialing? There would have to be a modem on my end of the published phone line for that to be a problem.

    If you are trying to work with someone via email, it only makes sense to have your contact data in a signature. Not all clients display your email address in the TO: line, and a phone number, sometimes, is essential. Keep in mind that the recipient may need to contact you.

    If it is plain text, can that information be used to attack your host system or network? Very doubtful.

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    To an MTU like Sendmail, there is no difference between the signature and the message text. The signature simply appears at the bottom. The only security risk I could think of because of signatures would be viruses being sent out through your signature without your knowledge. Buty there are far more effective ways to do this. Yes, a signature could be exploited theoretically, but whatever a programmer is trying to with it, he/she could find a more effective method for. So I would have to disagree with this 'expert' and say that signatures do not pose any signifigant security risk.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  7. #7
    Senior Member
    Join Date
    Jul 2002
    Posts
    117
    Originally posted here by rapier57


    Wardialing? There would have to be a modem on my end of the published phone line for that to be a problem.
    Modem, yes. Published number, maybe not. Now, I've never used a war dialer, but from what I understand of them, they dial all numbers within a given range (or am I mistaken? please correct me if I am... flame, no) If you have your work phone number in your signature, they have at least a starting point.

    alpha

  8. #8
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    Originally posted here by alphabetarian
    maybe folks put too much information into their signature that someone could use against an organization (thinking phone number prefix and war dialing).
    I don't see how a phone number in your signature could pose a threat... who the hell are you emailing anyway? Unless you're emailing people who you think might do this, there won't be a problem with it, unless you have a virus, in which case you've got bigger fish to fry If you include you home telephone number, a wardialer won't do anything unles your modem is set to auto answer. If you're using corporate email, the number is public information anyway. I wouldn't worry about it.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  9. #9
    i don't think e mail sign does make much difference how can one open a hole with it !!ridicules
    ___________________________
    get fast get furious!!!

  10. #10
    Senior Member
    Join Date
    Mar 2003
    Posts
    245
    I have to agree on the wardialing issue, if a company has modem racks that are susceptible to this kind of attack then they have bigger problems than somebody messing with email sig's.

    Here is a scenario that would work at a company I know of however....

    - Employees use MS Outlook and MS Exchange for their in-house email traffic.
    - A popular thing to do is place a short .html file containing some nicely formatted
    contact info in their personal folder on a company-wide share.
    - A user has Outlook configured to automatically insert their personal .html sig from this
    UNC when they compose a new email.

    Now, Suppose a malicious user with some knowledge of VBScript whips up a little nasty and
    embeds it in the victims HTML signature file.

    So, under a given scenario such as the above, an argument can be made that email signatures can lead to some kind of security incident other than war-dialing. This kind of attack would rely on the user not catching on, which is unlikely, and the company InfoSec team not catching on, which is more unlikely. However users who know enough to do something like this, but are too stupid not to get caught are in great supply.

    Note: Many corporate Windows environments have the C$ share enabled by default, so if the sig is located in say C:\program files\whatever\whatever\outlook\sig.html, and \\victim-machinename\C$ can be reached on the attackers machine, then the same can be done to a signature file stored locally.
    Get OpenSolaris http://www.opensolaris.org/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •