Bugtraq mailing list archives
Re: FTGate and POP3 protocol
From: jcr () IWBC NET (Jeremy C. Reed)
Date: Wed, 5 Jul 2000 16:23:34 -0700
On Sun, 2 Jul 2000, Andrew Lewis wrote:
Yeah, it's official - it's a problem with the POP3 protocol rather than with FTGate specifically. Other affected daemons are gnu-pop3d,
gnu-pop3d does not act this way.
Although returning a -ERR code when an inalid username is given *is* RFC compliant, and that there is the delay feature to slow-down bruteforcing, it's still a fairly stupid idea. :/
In the following examples, jcr is a real/valid user and bogususer is an invalid user: +OK POP3 Welcome to GNU POP3 Server Version 0.9.8 <1163.962839007 () jcr2 iwbc net> user jcr +OK pass 12345 -ERR Bad login +OK POP3 Welcome to GNU POP3 Server Version 0.9.8 <1165.962839016 () jcr2 iwbc net> user bogususer +OK pass 12345 -ERR Bad login (My previous posting about gnu-pop3d was unclear. I also misunderstood the original posting -- I thought that it was saying that if the USER didn't authenticate with PASS then it should disconnect.) Jeremy C. Reed ----------------------------------------- IWBC ISP Services jcr () iwbc net
Current thread:
- FTGate and POP3 protocol Andrew Lewis (Jul 02)
- Re: FTGate and POP3 protocol Roger Burton West (Jul 02)
- Re: FTGate and POP3 protocol Jeremy C. Reed (Jul 05)
- Patch for Flowerfire Sawmill Vulnerabilities Available Alfred Huger (Jul 06)