Good idea, Sandy. Log unsuccessful attempts through the custom login page, and require CAPTCHA after X unsuccessful attempts in Y minutes.
An alternative might be to lock accounts against webmail login instead of using CAPTCHA, again after X unsuccessful attempts in Y minutes... then unlock them after Z minutes. Darin. ----- Original Message ----- From: "Sanford Whiteman" <[EMAIL PROTECTED]> To: "Darin Cox" <[email protected]> Sent: Wednesday, October 01, 2008 4:15 PM Subject: Re[2]: [IMail Forum] WEBMAIL CAPCHA > You could put up a web page that implements and checks CAPTCHA, and > then, if successful, signs the user onto WebMail. You'll also need > to edit the WebMail login page to redirect to your new page with > CAPTCHA. My view -- not responding directly to Darin here -- is that a user should not be forced to use CAPTCHA unless the account has *already* been locked for too many unsuccessful non-CAPTCHA attempts. In other words, you need a detection level (as Len describes), then an IP-based enforcement level as far as that can be used in practice, then a CAPTCHA-based enforcement level. I predict significant end-user opposition if a hosting provider suddenly forces all users, even those with strong passwords whose account names have not even been guessed, to jump through an additional hoop that they will see as unnecessary. If some accounts are continually under attack, then for those users you will in practice be requiring CAPTCHA at all times. --Sandy ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
