[17180] in bugtraq
Netscape Messaging server 4.15 poor error strings
daemon@ATHENA.MIT.EDU (Matt Holtz)
Thu Oct 12 15:08:59 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20001011173048.A1952@voyager.net>
Date: Wed, 11 Oct 2000 17:30:48 -0400
Reply-To: Matt Holtz <mholtz@PUCK.NETHER.NET>
From: Matt Holtz <mholtz@PUCK.NETHER.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Hello,
I have searched for anything regarding this problem, and haven't found
anything so I apologize if this has already been covered.
I am dealing with Netscape Messaging Server (aka Iplanet Messaging
server) 4.15p1 (mar 15 2000).
The problem is that the POP3 server displays a different message for an
authentication error due to an invalid password then for one due to an
invalid username. This could be used to "harvest" email addresses for spam
lists. I have contacted Netscape engineering regarding this issue, and they
have failed to get back to me with an answer.
Here is an example:
I created an account test.user but not one called invalid.user
[mholtz@ ~]$ telnet someserver.example.com 110
Trying 172.16.10.107...
Connected to someserver.example.com (172.16.10.107).
Escape character is '^]'.
+OK someserver.example.com POP3 service (Netscape Messaging Server 4.15 Patch 1 (built Mar 15 2000))
USER test.user
+OK Name is a valid mailbox
PASS blah
-ERR Password incorrect
quit
+OK
Connection closed by foreign host.
[mholtz@ ~]$ telnet someserver.example.com 110
Trying 172.16.10.107...
Connected to someserver.example.com (172.16.10.107).
Escape character is '^]'.
+OK someserver.example.com POP3 service (Netscape Messaging Server 4.15 Patch 1 (built Mar 15 2000))
user invalid.user
+OK Name is a valid mailbox
PASS blah
-ERR User unknown
quit
+OK
Connection closed by foreign host.
[mholtz@ ~]$
I have searched for a way to change this in all of the documentation and
haven't found anything. Fortunately it does pause for 1 second after an
authentication failure.
Note: this example uses messaging server for solaris 7.
Matt Holtz
