If both forms of guess limiting would be tracked on an IP by IP basis
(perhaps that is what Serge had in mind, and I missed it), that would not
lock out the legitimate user (theoretically coming from an unblocked
address). We'll need to do this without consuming a lot of memory tracking
the attacks, and opening up a different kind of DoS attack.
--- Noel
-----Original Message-----
From: Noel J. Bergman [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 13, 2002 19:08
To: James Users List
Subject: RE: ATRN
Serge,
What prior art exists in this area? One of the things I noticed in your
proposal is that although I might not be able to get into your e-mail box, I
can effectively launch a DOS attack by having robots fail to get into your
mailbox, thus causing the system to disallow letting YOU into your mailbox.
--- Noel
-----Original Message-----
From: Serge Knystautas [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 13, 2002 18:10
To: James Users List
Subject: Re: ATRN
It sounds like we should address this issue for POP3 and SMTP AUTH as
well, especially since they are already present and from what I can tell
have the same security problems. What about a counter to check how
frequently a password has been guessed (some time limit) or maybe some
throttling so a single IP address can't make too many guesses for
whatever accounts it tries to get to? If you at least set it to lock
the account for 5 minutes after a few rapid failed attempts, you'll
greatly slow down the ability of a dictionary attack.
--
Serge Knystautas
Loki Technologies - Unstoppable Websites
http://www.lokitech.com
Harmeet Bedi wrote:
> Companies often expose SMTP Servers and not POP3/IMAP Servers outside
> firewall.
>
> The point is that you can always send mail or spam to anyone but you
cannot
> do a dictionary attack, guess passwords and read any mail.
>
> ATRN/ETRN actually allow an SMTP Server to act as a mail reciever and also
> mail publisher.
>
> Here is a scenerio:
> A hacker looks for valid userids by searching for '@<companyname>'
> Does dictionary attack to find password. Say gets 5% of passwords on a
> system that does not have good auditing.
> Finds a mail server that has TURN commands, and then once in a while
routes
> mail to herself for those users.
>
> Harmeet
>
> PS: Polymorphism may be good and object oriented but Security folks are
not
> likely to know the advantages.
>
> ----- Original Message -----
> From: "Harmeet Bedi" <[EMAIL PROTECTED]>
> To: "James Users List" <[EMAIL PROTECTED]>
> Sent: Wednesday, June 12, 2002 5:36 PM
> Subject: Re: ATRN
>
>
>
>>FYI: ATRN is bad from a security point of view.
>>
>>Reason: "My need is for a simple device
>>that simply queues mail and relays it on-demand, no delivery necessary."
>>One can send (snail)mail to anyone in the directory, but I want to keep my
>>own mail inbox hidden.
>>
>>Harmeet
>>----- Original Message -----
>>From: "Jeff Schnitzer" <[EMAIL PROTECTED]>
>>To: <[EMAIL PROTECTED]>
>>Sent: Tuesday, June 11, 2002 7:32 PM
>>Subject: ATRN
>>
>>
>>I need to use ATRN to pull mail from a relay into an Exchange server
>>which has a dynamic IP address. Does James support ATRN?
>>
>>I'm guessing it doesn't, since a search of the mail archives and
>>documentation turns up nada.
>>
>>The next question is: How amenable is the James architecture to
>>supporting ATRN? I notice SMTP AUTH is already supported, which is
>>good. But I know relatively little (yet) about the internal workings of
>>an MTA, so I don't know what else is needed. Can James queue mail
>>without delivery for a more or less indefinite time? Does the
>>architecture make it possible to easily take an inbound SMTP connection
>>and reverse the client/server roles?
>>
>>If it's realistically possible for me to implement it in a week, I'm
>>willing to grab the RFC and start hacking. But I'm starting at the
>>bottom of both the James and MTA learning curves, so I can't even
>>evaluate the feasibility.
>>
>>Comments?
>>
>>ATRN would be a really cool feature to have, especially since neither
>>sendmail nor qmail currently support it. My need is for a simple device
>>that simply queues mail and relays it on-demand, no delivery necessary.
>>
>>Jeff Schnitzer
>>[EMAIL PROTECTED]
>>
>>--
>>To unsubscribe, e-mail:
>
> <mailto:[EMAIL PROTECTED]>
>
>>For additional commands, e-mail:
>
> <mailto:[EMAIL PROTECTED]>
>
>>
>>--
>>To unsubscribe, e-mail:
>
> <mailto:[EMAIL PROTECTED]>
>
>>For additional commands, e-mail:
>
> <mailto:[EMAIL PROTECTED]>
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
