It sounds like we should address this issue for POP3 and SMTP AUTH as well, especially since they are already present and from what I can tell have the same security problems. What about a counter to check how frequently a password has been guessed (some time limit) or maybe some throttling so a single IP address can't make too many guesses for whatever accounts it tries to get to? If you at least set it to lock the account for 5 minutes after a few rapid failed attempts, you'll greatly slow down the ability of a dictionary attack.
-- Serge Knystautas Loki Technologies - Unstoppable Websites http://www.lokitech.com Harmeet Bedi wrote: > Companies often expose SMTP Servers and not POP3/IMAP Servers outside > firewall. > > The point is that you can always send mail or spam to anyone but you cannot > do a dictionary attack, guess passwords and read any mail. > > ATRN/ETRN actually allow an SMTP Server to act as a mail reciever and also > mail publisher. > > Here is a scenerio: > A hacker looks for valid userids by searching for '@<companyname>' > Does dictionary attack to find password. Say gets 5% of passwords on a > system that does not have good auditing. > Finds a mail server that has TURN commands, and then once in a while routes > mail to herself for those users. > > Harmeet > > PS: Polymorphism may be good and object oriented but Security folks are not > likely to know the advantages. > > ----- Original Message ----- > From: "Harmeet Bedi" <[EMAIL PROTECTED]> > To: "James Users List" <[EMAIL PROTECTED]> > Sent: Wednesday, June 12, 2002 5:36 PM > Subject: Re: ATRN > > > >>FYI: ATRN is bad from a security point of view. >> >>Reason: "My need is for a simple device >>that simply queues mail and relays it on-demand, no delivery necessary." >>One can send (snail)mail to anyone in the directory, but I want to keep my >>own mail inbox hidden. >> >>Harmeet >>----- Original Message ----- >>From: "Jeff Schnitzer" <[EMAIL PROTECTED]> >>To: <[EMAIL PROTECTED]> >>Sent: Tuesday, June 11, 2002 7:32 PM >>Subject: ATRN >> >> >>I need to use ATRN to pull mail from a relay into an Exchange server >>which has a dynamic IP address. Does James support ATRN? >> >>I'm guessing it doesn't, since a search of the mail archives and >>documentation turns up nada. >> >>The next question is: How amenable is the James architecture to >>supporting ATRN? I notice SMTP AUTH is already supported, which is >>good. But I know relatively little (yet) about the internal workings of >>an MTA, so I don't know what else is needed. Can James queue mail >>without delivery for a more or less indefinite time? Does the >>architecture make it possible to easily take an inbound SMTP connection >>and reverse the client/server roles? >> >>If it's realistically possible for me to implement it in a week, I'm >>willing to grab the RFC and start hacking. But I'm starting at the >>bottom of both the James and MTA learning curves, so I can't even >>evaluate the feasibility. >> >>Comments? >> >>ATRN would be a really cool feature to have, especially since neither >>sendmail nor qmail currently support it. My need is for a simple device >>that simply queues mail and relays it on-demand, no delivery necessary. >> >>Jeff Schnitzer >>[EMAIL PROTECTED] >> >>-- >>To unsubscribe, e-mail: > > <mailto:[EMAIL PROTECTED]> > >>For additional commands, e-mail: > > <mailto:[EMAIL PROTECTED]> > >> >>-- >>To unsubscribe, e-mail: > > <mailto:[EMAIL PROTECTED]> > >>For additional commands, e-mail: > > <mailto:[EMAIL PROTECTED]> > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
