OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Netscape Messaging server 4.15 poor error strings
From: Matt Holtz (mholtzPUCK.NETHER.NET)
Date: Wed Oct 11 2000 - 16:30:48 CDT

Hello,
I have searched for anything regarding this problem, and haven't found
anything so I apologize if this has already been covered.

I am dealing with Netscape Messaging Server (aka Iplanet Messaging
server) 4.15p1 (mar 15 2000).

The problem is that the POP3 server displays a different message for an
authentication error due to an invalid password then for one due to an
invalid username. This could be used to "harvest" email addresses for spam
lists. I have contacted Netscape engineering regarding this issue, and they
have failed to get back to me with an answer.

Here is an example:
I created an account test.user but not one called invalid.user

[mholtz ~]$ telnet someserver.example.com 110
Trying 172.16.10.107...
Connected to someserver.example.com (172.16.10.107).
Escape character is '^]'.
+OK someserver.example.com POP3 service (Netscape Messaging Server 4.15 Patch 1 (built Mar 15 2000))
USER test.user
+OK Name is a valid mailbox
PASS blah
-ERR Password incorrect
quit
+OK
Connection closed by foreign host.
[mholtz ~]$ telnet someserver.example.com 110
Trying 172.16.10.107...
Connected to someserver.example.com (172.16.10.107).
Escape character is '^]'.
+OK someserver.example.com POP3 service (Netscape Messaging Server 4.15 Patch 1 (built Mar 15 2000))
user invalid.user
+OK Name is a valid mailbox
PASS blah
-ERR User unknown
quit
+OK
Connection closed by foreign host.
[mholtz ~]$

I have searched for a way to change this in all of the documentation and
haven't found anything. Fortunately it does pause for 1 second after an
authentication failure.

Note: this example uses messaging server for solaris 7.

Matt Holtz