29 Oct
2008
29 Oct
'08
3:49 p.m.
I have been using UW's IMAP server and I am converting to Dovecot for Maildir support.
When a user fails authentication, or a user does not exist, it appears that the same message is used for these events.
Is there a way to indicate that the user does not exist (Invalid user), and authentication Failure (Failed Password)?
Clearly these two failures indicate a different error in the system. One that some forgot their password, the other indicates a dictionary attack.
Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant
ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email, Internet and Security Consultants SPAMZapper <http://www.Spam-Zapper.com> - No-JunkMail.com <http://www.No-JunkMail.com> - *True Spam Elimination*.