RE: [IMail Forum] WEBMAIL CAPCHA

Wed, 01 Oct 2008 13:40:29 -0700 

Yes, the thing is that in our Imail server 2006 we don't have any kind of
this options..
 
    enforce strict password
    disable account after z attempts 
    Captcha 
    Measurement of the number of messages going out or into an account on a
user configurable unit of time (it will be easy to detect a hijacked account
with a robot sending 100's of mails in seconds, humanly is not possible,
software wise it is).

 
_jorge
  _____  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Wednesday, October 01, 2008 2:28 PM
To: [email protected]
Subject: Re: [IMail Forum] WEBMAIL CAPCHA


You can't CAPTCHA a SMTP AUTH session however.  There's plenty of account
hacking going on straight through SMTP and POP3 (and maybe IMAP also).

You should enforce strict passwords and also lock an account out after so
many attempts.  There should also be an IP block on bad attempts from any
interface.

CAPTCHA's won't protect but a small piece of this.

Matt



Sanford Whiteman wrote: 

You  could put up a web page that implements and checks CAPTCHA, and

then,  if  successful, signs the user onto WebMail. You'll also need

to  edit  the  WebMail  login page to redirect to your new page with

CAPTCHA.

    



My  view  --  not  responding directly to Darin here -- is that a user

should  not  be forced to use CAPTCHA unless the account has *already*

been  locked  for too many unsuccessful non-CAPTCHA attempts. In other

words, you need a detection level (as Len describes), then an IP-based

enforcement  level  as  far  as  that  can be used in practice, then a

CAPTCHA-based   enforcement  level.  I  predict  significant  end-user

opposition if a hosting provider suddenly forces all users, even those

with  strong passwords whose account names have not even been guessed,

to jump through an additional hoop that they will see as unnecessary.



If  some  accounts  are continually under attack, then for those users

you will in practice be requiring CAPTCHA at all times.



--Sandy







------------------------------------

Sanford Whiteman, Chief Technologist

Broadleaf Systems, a division of

Cypress Integrated Systems, Inc.

e-mail: [EMAIL PROTECTED]



SpamAssassin plugs into Declude!

 
http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release
/



Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail
Aliases!

 
http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa
d/release/

 
http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re
lease/





To Unsubscribe: http://imailserver.com/support/discussion_list/

List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/

Knowledge Base/FAQ: http://imailserver.com/support/kb.html

Reply via email to