|
|
It is also possible to do this through the FTP interface as well [or at least it was the last time I checked]. FTP'ing to a CommuniGate server and attempting to login to an account enough times to lockout an account results in a change in the response when the account is locked. Actual accounts get locked and a response states that the account is locked, non-existent ones keep the same response string.
I believe this can be worked around now with the Temporarily Blocked IP Addresses setting. As long as the IP gets blocked before the account gets locked out, and the blocking time exceeds the lockout time, you should be alright. I have not tested this theory or even thought really hard about it but it seems logical. Actually, attacking an account from N IP addresses will circumvent this configuration. Oh well. So, my theory may only work against 1 IP attacking 1 or more accounts [in theory].
Also, do non-existent accounts result in failed login attempts being incremented? That may be another hole in my theory.
On 8/27/2010 4:01 AM, Ian Mordey wrote:
Hi there
It seems it is possible to determine valid email addresses using the password recovery of CGP webmail. If you key in an account name that doesn’t exist you get an error “unknown user account” if you key in a valid account you get a different message “no password recovery email address has been specified”. Are these messages customisable?
Thanks
Ian
|
|