Netscape Messaging server 4.15 poor error strings

[Matt Holtz <mholtz () PUCK NETHER NET>]

Hello,
I have searched for anything regarding this problem, and haven't found
anything so I apologize if this has already been covered.

I am dealing with Netscape Messaging Server (aka Iplanet Messaging
server) 4.15p1 (mar 15 2000).

The problem is that the POP3 server displays a different message for an
authentication error due to an invalid password then for one due to an
invalid username.  This could be used to "harvest" email addresses for spam
lists.  I have contacted Netscape engineering regarding this issue, and they
have failed to get back to me with an answer.



Here is an example:
I created an account test.user but not one called invalid.user

[mholtz@ ~]$ telnet someserver.example.com 110
Trying 172.16.10.107...
Connected to someserver.example.com (172.16.10.107).
Escape character is '^]'.
+OK someserver.example.com POP3 service (Netscape Messaging Server 4.15 Patch 1 (built Mar 15 2000))
USER test.user
+OK Name is a valid mailbox
PASS blah
-ERR Password incorrect
quit
+OK
Connection closed by foreign host.
[mholtz@ ~]$ telnet someserver.example.com 110
Trying 172.16.10.107...
Connected to someserver.example.com (172.16.10.107).
Escape character is '^]'.
+OK someserver.example.com POP3 service (Netscape Messaging Server 4.15 Patch 1 (built Mar 15 2000))
user invalid.user
+OK Name is a valid mailbox
PASS blah
-ERR User unknown
quit
+OK
Connection closed by foreign host.
[mholtz@ ~]$

I have searched for a way to change this in all of the documentation and
haven't found anything.  Fortunately it does pause for 1 second after an
authentication failure.

Note: this example uses messaging server for solaris 7.



Matt Holtz