RE: [vchkpw] Heureka! Finished POP3-Frequency-Patch (against bruteforcing)
-Original Message- From: knom [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:21 PM To: [EMAIL PROTECTED] Subject: [vchkpw] Heureka! Finished POP3-Frequency-Patch (against bruteforcing) Hi! I finished the Patch forqmail-pop3d which doesn't allow more then xx logins every yy seconds. (As some of you may know from GMX.net) If you log in more often then eg. 10 times in 5 minutes you get an error message which says, that you have to wait xx minutes until relogin. Thats quite good against pop3 bruteforcing, I think ! If anybody is interested in how including this feature, please write me ! Thanks, knom. Are you throttling connections by IP address or by username/passwords? Also, perhaps instead of you have to wait xx minutes maybe you can just list 0 messages. Jake
Re: [vchkpw] Heureka! Finished POP3-Frequency-Patch (against bruteforcing)
Hi, On Thu, 2004-02-12 at 01:21, knom wrote: I finished the Patch forqmail-pop3d which doesn't allow more then xx logins every yy seconds. Please see my post to the sourceforge tracker [874660]. Can we see the patch anywhere? If you log in more often then eg. 10 times in 5 minutes you get an error message which says, that you have to wait xx minutes until relogin. Thats quite good against pop3 bruteforcing, I think ! - and, not to nitpick - but imho it's a bad idea to show the timeout. It would be a handy tool for DOS'ers. They could easily optimize the attack specific to your site. /Anders
RE: [vchkpw] Heureka! Finished POP3-Frequency-Patch (against bruteforcing)
Hi, On Thu, 2004-02-12 at 02:15, Jake S wrote: Also, perhaps instead of you have to wait xx minutes maybe you can just list 0 messages. The idea of listing 0 messages (as new) could lead to some support nightmares. A customer consequently using the wrong password, and there is no sign that anything is wrong - or worse, some third malicious part causing this. /Anders
