On Wed, 21 Jul 2010 14:29:10 +0300 Thanos Chatziathanassiou tchatzi@arx.net articulated:
A relatively recent development that spammers got wind of is users that have username==password, with/without the domain. I am tracking numerous 1-off attempts from bots to gain access to mailboxes this way. Situation isn't made any better if you're also using dovecot as SMTP AUTH provider for I am ashamed to admit I've relayed some spam that way. Would it be possible to deny login if username==password with a (non?)polite/custom message to go change your password to something less obvious ?
Seriously, this reminds me of a saying by Ron White that I have always thought à propos: "You can't fix stupid." There is no way you can protect a user from their own stupidity. I don't care how many safeguards you put in place. Remember, "Nothing is foolproof to a sufficiently talented fool." Or, as I like to tell others, "Make it idiot proof and someone will make a better idiot." There are reportedly thousands of users who use, "Password" for their actual password.
This is not a Dovecot problem. Adding additional checks in Dovecot will only bloat the program and potentially cause other catastrophic problems.
-- Jerry ✌ Dovecot.user@seibercom.net
Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header.
"I kind of want to slay the dragon. Let's go to work."
Angel's final words.