[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

using SMTP auth to brute-force passwords

To: zmailer@nic.funet.fi
Subject: using SMTP auth to brute-force passwords
From: Devin Reade <gdr@gno.org>
Date: Thu, 27 Dec 2001 10:02:35 -0700
Original-Recipient: rfc822;zmailer-outgoing
Sender: zmailer-owner@nic.funet.fi

I know that one common problem from the web world and configuring
a web server to use system authentication (such as /etc/shadow) is
that the web server can then be used to more easily brute-force an
account -- there is no delay imposed upon wrong password guesses as
there is via telnet/ssh, etc.  [For the sake of this conversation, 
I am ignoring 3rd party software that adds this functionality.]

When one enables zmailer to do password auth (PARAM smtp-auth), are
there delays imposed to slow down brute force attacks, or can an
attacker pump through the queries as fast as the connection permits?

Are there any other security-related issues here (other than you want
smtp-auth to be happening over SSL)?

[On a related but off topic issue, if anyone knows of a freeware 
product that provides for slowing down brute-forcing on web servers,
please let me know in private email.  The only products I've seen 
so far are commercial.]
--
        Devin Reade        <gdr@gno.org>

-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi

Follow-Ups:
- Re: using SMTP auth to brute-force passwords
  - From: Matti Aarnio <mea@nic.funet.fi> (Thu, 27 Dec 2001 19:54:20 +0200)

Prev by Date: Re: [OT] problems at www.zmailer.org?
Next by Date: smtp-auth against SASL db
Prev by thread: Re: [OT] problems at www.zmailer.org?
Next by thread: Re: using SMTP auth to brute-force passwords
Index(es):
- Date
- Thread