Bugtraq mailing list archives

Re: FTGate and POP3 protocol

From: jcr () IWBC NET (Jeremy C. Reed)
Date: Wed, 5 Jul 2000 16:23:34 -0700


On Sun, 2 Jul 2000, Andrew Lewis wrote:

Yeah, it's official - it's a problem with the POP3 protocol rather than
with FTGate specifically. Other affected daemons are gnu-pop3d,


gnu-pop3d does not act this way.

Although returning a -ERR code when an inalid username is given *is* RFC
compliant, and that there is the delay feature to slow-down bruteforcing,
it's still a fairly stupid idea. :/


In the following examples, jcr is a real/valid user and bogususer is an
invalid user:

+OK POP3 Welcome to GNU POP3 Server Version 0.9.8 <1163.962839007 () jcr2 iwbc net>
user jcr
+OK
pass 12345
-ERR Bad login

+OK POP3 Welcome to GNU POP3 Server Version 0.9.8 <1165.962839016 () jcr2 iwbc net>
user bogususer
+OK
pass 12345
-ERR Bad login

(My previous posting about gnu-pop3d was unclear. I also misunderstood
the original posting -- I thought that it was saying that if the USER
didn't authenticate with PASS then it should disconnect.)

Jeremy C. Reed
-----------------------------------------
                        IWBC ISP Services
                             jcr () iwbc net

Current thread:

FTGate and POP3 protocol Andrew Lewis (Jul 02)
- Re: FTGate and POP3 protocol Roger Burton West (Jul 02)
- Re: FTGate and POP3 protocol Jeremy C. Reed (Jul 05)
- Patch for Flowerfire Sawmill Vulnerabilities Available Alfred Huger (Jul 06)