> You could put up a web page that implements and checks CAPTCHA, and > then, if successful, signs the user onto WebMail. You'll also need > to edit the WebMail login page to redirect to your new page with > CAPTCHA.
My view -- not responding directly to Darin here -- is that a user should not be forced to use CAPTCHA unless the account has *already* been locked for too many unsuccessful non-CAPTCHA attempts. In other words, you need a detection level (as Len describes), then an IP-based enforcement level as far as that can be used in practice, then a CAPTCHA-based enforcement level. I predict significant end-user opposition if a hosting provider suddenly forces all users, even those with strong passwords whose account names have not even been guessed, to jump through an additional hoop that they will see as unnecessary. If some accounts are continually under attack, then for those users you will in practice be requiring CAPTCHA at all times. --Sandy ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
