Re: Problems with FTGate

[jcr () IWBC NET (Jeremy C. Reed)]

On Mon, 26 Jun 2000, Andrew Lewis wrote:

> FTGate's POP3 server responds to invalid USER requests with a -ERR code
> and doesn't disconnect you. This means that it is possible to bruteforce
> usernames and passwords with ease.

What does "invalid USER requests" mean? It is normal for (at least RFC
1939-based) POP3 servers to output an "-ERR" message and to then allow the
user to attempt another USER/PASS attempt.

> From RFC 1939:

             To authenticate using the USER and PASS command
             combination, the client must first issue the USER
             command.  If the POP3 server responds with a positive
             status indicator ("+OK"), then the client may issue
             either the PASS command to complete the authentication,
             or the QUIT command to terminate the POP3 session.  If
             the POP3 server responds with a negative status indicator
             ("-ERR") to the USER command, then the client may either
             issue a new authentication command or may issue the QUIT
             command.

This issue (problem?) exists in several other POP3 servers, including the
patched (for virtual domains) version of gnu-pop3d that I use.

RFC 2449 has a capability idea called LOGIN-DELAY that may partially help
this problem. Since most POP3 connectsions are done via a script or a
program (not manually), I agree that a POP3 server should close the
connection after an "-ERR" in the authorization state. (Of course, a more
serious problem is using plain POP3 to transfer plain-text usernames and
passwords -- but that's another discussion.)

         Jeremy Reed

         http://www.iwbc.net/
         http://bsd.reedmedia.net/