> Using the pop3 mechanism to crack user passwords > > Given a file full of usernames and the standard 'dict file' one can > currently connect to the pop3 daemon and effiecently try passwords for a > user until the proper one is gotten or one runs out of passwords without any > noticeable effects on the server. I've tested this method myself using > several accounts and lots of random crap between valid passwords. A 3 > account userfile with a 20k dictfile took appx 2 minutes to generare the > passwords for all 3 accounts. > > Solution: > > Implement random delay times, logging, and disconnection within the pop3 > daemom qpopper, the POP server from Qualcom (makers of Eudora for PeeCees) does a 10 second delay and disconnects on a bad password. It also logs EVERYTHING to a file and is very configurable. We've been using it for a few months now, and it's worked very well. See ftp.qualcomm.com:/quest/unix/servers. -- /// Stefan Hudson <hudson@mbay.net> __ /// Senior Network Administrator - Monterey Bay Internet \\\/// http://www.mbay.net/ - Email: info@mbay.net \XX/ Voice: 408-642-6100 Fax: 408-642-6101 Modem: 408-642-6102