Bugtraq mailing list archives
Netscape Messaging server 4.15 poor error strings
From: Matt Holtz <mholtz () PUCK NETHER NET>
Date: Wed, 11 Oct 2000 17:30:48 -0400
Hello, I have searched for anything regarding this problem, and haven't found anything so I apologize if this has already been covered. I am dealing with Netscape Messaging Server (aka Iplanet Messaging server) 4.15p1 (mar 15 2000). The problem is that the POP3 server displays a different message for an authentication error due to an invalid password then for one due to an invalid username. This could be used to "harvest" email addresses for spam lists. I have contacted Netscape engineering regarding this issue, and they have failed to get back to me with an answer. Here is an example: I created an account test.user but not one called invalid.user [mholtz@ ~]$ telnet someserver.example.com 110 Trying 172.16.10.107... Connected to someserver.example.com (172.16.10.107). Escape character is '^]'. +OK someserver.example.com POP3 service (Netscape Messaging Server 4.15 Patch 1 (built Mar 15 2000)) USER test.user +OK Name is a valid mailbox PASS blah -ERR Password incorrect quit +OK Connection closed by foreign host. [mholtz@ ~]$ telnet someserver.example.com 110 Trying 172.16.10.107... Connected to someserver.example.com (172.16.10.107). Escape character is '^]'. +OK someserver.example.com POP3 service (Netscape Messaging Server 4.15 Patch 1 (built Mar 15 2000)) user invalid.user +OK Name is a valid mailbox PASS blah -ERR User unknown quit +OK Connection closed by foreign host. [mholtz@ ~]$ I have searched for a way to change this in all of the documentation and haven't found anything. Fortunately it does pause for 1 second after an authentication failure. Note: this example uses messaging server for solaris 7. Matt Holtz
Current thread:
- Netscape Messaging server 4.15 poor error strings Matt Holtz (Oct 12)
- Re: Netscape Messaging server 4.15 poor error strings James Mancini (Oct 13)