Defending against Friendly Name attacks
Idea shared by Douglas Foster - 5/7/2024 at 4:18 AM
Most email clients give prominence to the sender's Friendly Name (Display Name), leaving the email address hidden or invisible.   We were recently reminded of the problem when a Friendly Name attack was nearly successful.  

For external mail, we have begun rewriting the Friendly Name from some sources, so that:
"john.doe@example.com AS John Doe" "><john.doe@example.com>

This reverses the damage caused by email clients that hide the email address.

But we should also worry about insider attacks.  The Friendly Name is set by the user, can be changed at will, and can have a different value on every email client.   This seems wrong.

The U.S. NIST Digital Identity Guideline documents are relevant background reading for this issue
The short version:   A digital identifier is issued in response to some assertion about actual identity.  The level of actual identity verification will vary with the way that the digital identifier will be used.   

For my email, user identity is based on employment, and the process begins with our Human Resources department.   So identity is assumed to be highly verified.  But all of that identity verification goes out the window if an employee decides to play games with his Friendly Name.

It seems like SmarterMail should provide an option to enforce one Display Name identity per user.   That would mean that either (a) the Friendly Name (Display Name) can only be altered by the administrator, or (b) Friendly Name changes are initiated by the user but deferred until approved by the administrator.   In either case, when a message arrives from an email client, the Friendly Name must be checked, and rewritten to the approved text string if it is not compliant.

Does anyone agree?

Reply to Thread