[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

using SMTP auth to brute-force passwords

I know that one common problem from the web world and configuring
a web server to use system authentication (such as /etc/shadow) is
that the web server can then be used to more easily brute-force an
account -- there is no delay imposed upon wrong password guesses as
there is via telnet/ssh, etc.  [For the sake of this conversation, 
I am ignoring 3rd party software that adds this functionality.]

When one enables zmailer to do password auth (PARAM smtp-auth), are
there delays imposed to slow down brute force attacks, or can an
attacker pump through the queries as fast as the connection permits?

Are there any other security-related issues here (other than you want
smtp-auth to be happening over SSL)?

[On a related but off topic issue, if anyone knows of a freeware 
product that provides for slowing down brute-forcing on web servers,
please let me know in private email.  The only products I've seen 
so far are commercial.]
        Devin Reade        <gdr@gno.org>

To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi