Closed Bug 234866 Opened 22 years ago Closed 20 years ago

Hamper third party programs to do harvesting (email personal info etc)

Categories

(SeaMonkey :: MailNews: Address Book & Contacts, enhancement)

Product:
SeaMonkey
Component:
MailNews: Address Book & Contacts
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED EXPIRED

People

(Reporter: ivarBZ, Unassigned)

References

(
URL
)

Details

User-Agent: Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113 Reading the above URL i realized that the Mozilla mailbox is very easy to harvest for email adresses, currently the avarage mozilla user is rather high end, but that will change. I issue this Request for a way of improving the security of the currently available files. This will probably be a great loss to users like myself who like the mbox format verry much. So it should be a setting that can be turned on or off (only at initial installation) but defaults to ON. A simple XOR using a password/hash using the known working password handling in Mozilla. What would be the implications in speed/usabilitie/installation etc. Reproducible: Always Steps to Reproduce: One 1. find an *.msf file on the system 2. remove the extention 3. open the file 4. harvest away two 1. Find a *.mab file on the machine 2. Open it 3. endulge Actual Results: Got a shipload of email adresses, not all are real but that has not stopped spammers before, Expected Results: Optional obscurity that is specific per installation. It does not have to be realy hard 1024 bit PGP like encription, but at least a challenge would be nice.
If an untrusted program has access to your mailbox files, you have bigger things to worry about than the format of that files. That untrusted program might be logging your keystrokes/delete your files at random, etc... That doesn't mean that additional security would be bad.
It is more of the fact how currend worms work. Like the last one it will spread until a future date and then lay dorment, waiting for an additional task. I do not want to know how many people have these things hanging around. By obscuring the files spreading of the virus by an unwitting user is hampered. Sure there are a lot of other issues that you should be aware of, but those affect the 'current' user, the aim is to delay (disable) the spreading. Sure, you should install a virusscanner and a firewall. But that still is not common enoug to stop spreading current worms.
A simple Xor will not help because a harvester could also chnage their code. I don't think that the adressbook-format will be changed...
The XOR solution depends on more than 8*20 bits (because the first part of any mbox file is 'From - ' + date (like 'From - Thu Jan 15 22'). This makes it too easy. That's why I mention that it should be machine or profile dependent. Not 'standard' as you probably assume. Note: I know enough about crypto tho safely state that only using XOR (even if it *is* machine dependant) is **** security. Also changing the mbox file format is not the aim, only change the low-level file I/O, and the remainder stays the same. Also the feature should be optional. Also (again optional) compression combined with the XOR solution should make it rather effective. (Depending on the compression algorithm used). But this makes implementing the file I/O a PITA (or slow). Sure any reasonable programmer can break the protection I presume here, but the whole exercise is to make it harder opposed to 'the others'.
Product: Browser → Seamonkey
Assignee: sspitzer → mail
This is an automated message, with ID "auto-resolve01". This bug has had no comments for a long time. Statistically, we have found that bug reports that have not been confirmed by a second user after three months are highly unlikely to be the source of a fix to the code. While your input is very important to us, our resources are limited and so we are asking for your help in focussing our efforts. If you can still reproduce this problem in the latest version of the product (see below for how to obtain a copy) or, for feature requests, if it's not present in the latest version and you still believe we should implement it, please visit the URL of this bug (given at the top of this mail) and add a comment to that effect, giving more reproduction information if you have it. If it is not a problem any longer, you need take no action. If this bug is not changed in any way in the next two weeks, it will be automatically resolved. Thank you for your help in this matter. The latest beta releases can be obtained from: Firefox: http://www.mozilla.org/projects/firefox/ Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html Seamonkey: http://www.mozilla.org/projects/seamonkey/
This bug has been automatically resolved after a period of inactivity (see above comment). If anyone thinks this is incorrect, they should feel free to reopen it.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → EXPIRED
You need to log in before you can comment on or make changes to this bug.