Hi,
On Thu, 2004-02-12 at 04:40, Jake S wrote:
> >> Also, perhaps instead of "you have to wait xx minutes" maybe you can
> >> just list 0 messages.
> > The idea of listing 0 messages (as new) could lead to some support
> > nightmares. A customer consequently using the wrong password, and there
> > is no sign that anything is wrong - or worse, some third malicious part
> > causing this.
> I'm not seeing your logic if a user has made it to checking their
> inbox then the credentials would have already been checked via vchkpw,
> correct or not and the appropriate errors would be listed.
Oh i see - I thought you meant it should return "0 new messages" for bad
user/password - but you actually meant "0 new messages" as response to
correct user/password, but only after x failed tries?
> Also, with a timeout error code your bound to get support calls asking if
> you can bend the rules for that user because they have a "very" important
> message (usually larger penis ads) verses you simply say no new messages
> and no one knows the difference.
If you just say no new messages, it can go on for month without the user
knowing it. It only takes one malicous attacker x failed authentication
attempt every y minutes to effectively suspend mail delivery.
And instead you will receive support calls/emails that goes like "I NEED
THAT EMAIL NOW!!! MY CLIENT SENT IT LIKE 20 YEARS AGO, AND IT STILL
ISN'T HERE!!! SOMETHING IS WACKED WITH YOU PEOPLE!!" (Yep, smile! :-))
/Anders
