From owner-freebsd-security Mon Jun 10 19:26:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA11576 for security-outgoing; Mon, 10 Jun 1996 19:26:43 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA11566 for ; Mon, 10 Jun 1996 19:26:38 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id WAA28542; Mon, 10 Jun 1996 22:25:14 -0400 (EDT) Date: Mon, 10 Jun 1996 22:26:13 -0400 (EDT) From: Brian Tao To: Ade Barkah cc: security@freebsd.org Subject: Re: FreeBSD's /var/mail permissions In-Reply-To: <199606100214.UAA29892@hemi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 9 Jun 1996, Ade Barkah wrote: > > Maybe I'll try out this washington.edu daemon. Any security concerns > with it ? I don't see any explicity warnings about it in CERT's archives, although it is vulnerable to a brute force attack (e.g., you can use it to quickly check many user/passwd combinations without it breaking the connection or logging the failed attempts). I've got qpopper 2.2 running now and it doesn't seem to have any of the problems I recall with 2.1.4. It logs failed authentication attempts and refuses to accept any more commands on a bad login. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't"