Re: [IMail Forum] WEBMAIL CAPCHA

Wed, 01 Oct 2008 13:30:16 -0700

You can't CAPTCHA a SMTP AUTH session however. There's plenty of account hacking going on straight through SMTP and POP3 (and maybe IMAP also).
You should enforce strict passwords and also lock an account out after so many attempts. There should also be an IP block on bad attempts from any interface. 

CAPTCHA's won't protect but a small piece of this.

Matt



Sanford Whiteman wrote:

You  could put up a web page that implements and checks CAPTCHA, and
then,  if  successful, signs the user onto WebMail. You'll also need
to  edit  the  WebMail  login page to redirect to your new page with
CAPTCHA.

    


My  view  --  not  responding directly to Darin here -- is that a user
should  not  be forced to use CAPTCHA unless the account has *already*
been  locked  for too many unsuccessful non-CAPTCHA attempts. In other
words, you need a detection level (as Len describes), then an IP-based
enforcement  level  as  far  as  that  can be used in practice, then a
CAPTCHA-based   enforcement  level.  I  predict  significant  end-user
opposition if a hosting provider suddenly forces all users, even those
with  strong passwords whose account names have not even been guessed,
to jump through an additional hoop that they will see as unnecessary.

If  some  accounts  are continually under attack, then for those users
you will in practice be requiring CAPTCHA at all times.

--Sandy



------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
  http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/

Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases!
  
http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/
  
http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/


To Unsubscribe: http://imailserver.com/support/discussion_list/
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://imailserver.com/support/kb.html


  























					Reply via email to